Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-0609 PoC — 微软 Microsoft Windows 输入验证错误漏洞

Source
https://github.com/ly4k/BlueGate
Associated Vulnerability
Title:微软 Microsoft Windows 输入验证错误漏洞 (CVE-2020-0609)
Description:A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Windows Remote Desktop Gateway (RD Gateway) Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-0610.
Description
PoC (DoS + scanner) for CVE-2020-0609 & CVE-2020-0610 - RD Gateway RCE
Readme

#  BlueGate

Proof of Concept (Denial of Service + scanner) for CVE-2020-0609 and CVE-2020-0610.

  

These vulnerabilities allows an unauthenticated attacker to gain remote code execution with highest privileges via RD Gateway for RDP.

  

Please use for research and educational purpose only.

  

##  Usage
Make sure you have [pyOpenSSL](https://www.pyopenssl.org/en/stable/) installed for python3. 

    usage: BlueGate.py [-h] -M {check,dos} [-P PORT] host
    
    positional arguments:
      host                  IP address of host
    
    optional arguments:
      -h, --help            show this help message and exit
      -M {check,dos}, --mode {check,dos}
                            Mode
      -P PORT, --port PORT  UDP port of RDG, default: 3391

  

##  Vulnerability

The vulnerabilities allows an unauthenticated attacker to write forward out-of-bound in the heap, by specifying an unchecked and arbitrary index parameter `(0x00 - 0xFFFF)`. The data to write is also arbitrary with a length up to 1000 bytes at a time and a maximum of 4096 during one session.

  

If you would like to read more about the vulnerabilities, check [this](https://www.kryptoslogic.com/blog/2020/01/rdp-to-rce-when-fragmentation-goes-wrong/) or read my latest tweets on [Twitter](https://twitter.com/ollypwn) with a PoC video as well.

  

##  What is RD Gateway?

RD Gateway acts as a proxy for RDP; i.e. between some internal servers and the internet, so you don't have to expose RDP directly to the internet.

##  Why BlueGate?

  

That was just the working title, and I couldn't come up with a better one at this stage.

  

##  Todo:

- ~~Vulnerability scanner/checker~~ **DONE**

- ~~Python implementation~~ **DONE**
File Snapshot

 [4.0K]  /data/pocs/69c0b5288d808d4802cce0ff5ffa93aec1cfcb43
├── [4.0K]  BlueGate.py
├── [4.0K]  old
│   ├── [4.0K]  BlueGate
│   │   ├── [2.2K]  BlueGate.cpp
│   │   ├── [ 971]  BlueGate.h
│   │   ├── [8.4K]  BlueGate.vcxproj
│   │   ├── [1.0K]  BlueGate.vcxproj.filters
│   │   └── [ 165]  BlueGate.vcxproj.user
│   ├── [1.4K]  BlueGate.sln
│   ├── [1.6K]  README.md
│   └── [4.0K]  Release
│       └── [ 12K]  BlueGate.exe
└── [1.7K]  README.md

3 directories, 10 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →