Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-16898 PoC — Windows TCP/IP Remote Code Execution Vulnerability

Source
https://github.com/komomon/CVE-2020-16898-EXP-POC
Associated Vulnerability
Title:Windows TCP/IP Remote Code Execution Vulnerability (CVE-2020-16898)
Description:<p>A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client.</p> <p>To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.</p> <p>The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets.</p>
Description
CVE-2020-16898 Windows TCP/IP远程代码执行漏洞 EXP&POC
Readme
# CVE-2020-16898
CVE-2020-16898 Windows TCP/IP远程代码执行漏洞 EXP&amp;POC

## 复现
forforever:https://www.cnblogs.com/forforever/p/13846077.html
## poc



**CVE-2020-16898_Checker-poc**


命令:

管理员启动powershell/CMD

```
Powershell.exe -ExecutionPolicy UnRestricted -File .\CVE-2020-16898-poc.ps1
```




## exp

**cve-2020-16898-exp2**

条件:能和目标通信,知道目标的本地链接IPv6地址

使用

```
修改代码中的dst参数为目标的本地链接IPv6地址
然后攻击机执行
python3 CVE-2020-16898.py即可
```

![image-20201020130144332](images/image-20201020130144332.png)

![img](images/T[XU6BDGPR287]CGSX4EM5P.png)





**CVE-2020-16898-exp1.py**

需要目标的“ipv6地址”或者“临时ipv6地址”和自己的本地链接的ipv6地址

```
v6_dst = "fd15:4ba5:5a2b:1008:109f:9a46:8d19:f103"	#修改为目标机的ipv6地址 或者 临时ipv6地址
v6_src = "fe80::501a:49b7:b7d:5362%12"				      #攻击者的本地ipv6地址
```

但是测试时发现填写目标的本地链接ipv6地址也可以,不知道是不是本地测试的原因,还是源IPv6地址可以伪造

修改完之后直接执行

```
python3 CVE-2020-16898-exp1.py
```
File Snapshot

 [4.0K]  /data/pocs/6a1335b924bcf17c6fc769798cd01885cfbd5eef
├── [4.0K]  exp
│   ├── [1.2K]  CVE-2020-16898-exp1.py
│   ├── [4.0K]  CVE-2020-16898-exp2
│   │   └── [4.0K]  cve-2020-16898-main
│   │       ├── [1.5K]  crash.py
│   │       ├── [1.5K]  crash两个一样只是名字不一样.py
│   │       ├── [1.5K]  CVE-2020-16898.py
│   │       ├── [4.0K]  images
│   │       │   ├── [4.2K]  image-20201020130144332.png
│   │       │   └── [2.7K]  T[XU6BDGPR287]CGSX4EM5P.png
│   │       ├── [ 408]  README.md
│   │       └── [ 408]  使用介绍.md
│   └── [1.7K]  CVE-2020-16898-exp2.zip
├── [4.0K]  images
│   ├── [4.2K]  image-20201020130144332.png
│   ├── [ 21K]  image-20201020131222234.png
│   └── [2.7K]  T[XU6BDGPR287]CGSX4EM5P.png
├── [4.0K]  poc
│   ├── [4.0K]  CVE-2020-16898_Checker-poc但是测试感觉不好用测不出来
│   │   └── [4.0K]  CVE-2020-16898_Checker-main
│   │       ├── [1.2K]  CVE-2020-16898_Checker.ps1
│   │       └── [  87]  README.md
│   ├── [1.1K]  CVE-2020-16898_Checker-poc但是测试感觉不好用测不出来.zip
│   ├── [1.8K]  CVE-2020-16898-poc.ps1
│   └── [1.8K]  CVE-2020-16898-poc.txt
├── [1.2K]  README.md
└── [1.1K]  各个文件介绍和使用.md

8 directories, 19 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →