Twitter | Pretraživanje | |
Luca Marcelli
Ladies and gentlemen, I present you a working Remote Code Execution (RCE) exploit for the Remote Desktop Gateway (CVE-2020-0609 & CVE-2020-0610). Accidentally followed a few rabbit holes but got it to work! Time to write a blog post ;) Don't forget to patch!
11:24 - 26. sij 2020.
Twitter
od: Luca Marcelli @layle_ctf
Reply Retweet Označi sa "sviđa mi se" More
Luca Marcelli 26. sij
Odgovor korisniku/ci @layle_ctf
If installing the update is not an option you should apply other measurements such as disabling UDP traffic. I'll wait a bit until people had enough time to patch before releasing this to the public :)
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Luca Marcelli 26. sij
Odgovor korisniku/ci @ollypwn
Also, shoutout to for helping me out with my Denial of Service script and my vulnerability scanner!
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Luca Marcelli 28. sij
Odgovor korisniku/ci @layle_ctf
I've been talking to a few professionals that are more experienced than me and I came to the conclusion that it's the best if I keep the source code private for the time being. I surely don't want to put any companies at risk!
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
ɯɹoʇsuoı 31. sij
Odgovor korisniku/ci @layle_ctf
hey whats the parent process that shells are popped from? svchost?
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Luca Marcelli 31. sij
Odgovor korisniku/ci @ionstorm
I haven't tried to pop a shell and I'm not really working on this anymore either. The DLL is mapped into svchost.exe, which runs as network service account and doesn't have access to the filesystem which is why I don't think a shell would be easy to get. 1/2
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
ɯɹoʇsuoı 26. sij
Odgovor korisniku/ci @layle_ctf
Nice work
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Luca Marcelli 26. sij
Odgovor korisniku/ci @ionstorm
Thank you! I was really sick the past few days and I didn't sleep to get this to work, was totally worth it though!
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
BenBE 26. sij
Odgovor korisniku/ci @layle_ctf
It ain't RCE if it doesn't start calc.exe … Great work!
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Luca Marcelli 26. sij
Odgovor korisniku/ci @BenBE1987
Will post a video of a calc.exe pop later ;)
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
PO3T 26. sij
Odgovor korisniku/ci @layle_ctf @ollypwn
Isn't this the same as BlueGate exploit? (reported 2 days ago)
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"
Luca Marcelli 26. sij
Odgovor korisniku/ci @PO3T1985 @ollypwn
He made a Denial of Service exploit and a vulnerability checker but couldn't achieve RCE yet.
Prikaz razgovora · Reply Retweet Označi sa "sviđa mi se"