Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-16898 PoC — Windows TCP/IP Remote Code Execution Vulnerability

Source
https://github.com/corelight/CVE-2020-16898
Associated Vulnerability
Title:Windows TCP/IP Remote Code Execution Vulnerability (CVE-2020-16898)
Description:<p>A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client.</p> <p>To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.</p> <p>The update addresses the vulnerability by correcting how the Windows TCP/IP stack handles ICMPv6 Router Advertisement packets.</p>
Description
A network detection package for CVE-2020-16898 (Windows TCP/IP Remote Code Execution Vulnerability)
Readme
# "Bad Neighbor" Detection, CVE-2020-16898 (Windows TCP/IP RCE) 

## Summary:  
A network detection package for CVE-2020-16898 (Windows TCP/IP Remote Code Execution Vulnerability)

## References: 
- https://corelight.blog/2020/10/15/zeek-community-activates-to-detect-bad-neighbor-cve-2020-16898/
- https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-16898#ID0EUGAC
- Other detection packages developed independently and concurrently by the Zeek community:
https://github.com/initconf/CVE-2020-16898-Bad-Neighbor/blob/master/scripts/CVE-2020-16898-Bad-Neighbor.zeek  
https://github.com/esnet-security/cve-2020-16898

## Notices raised :   

```CVE-2020-16898 exploit detected from %s. https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-16898#ID0EUGAC . Details from packet for reference: info=%s , options=%s```


## Usage, notes and recommendations:
- To use against a pcap you already have ```zeek -Cr scripts/__load__.zeek your.pcap```   
- This package will run in clustered or non clustered environments.  

## Feedback
- As details emerge, we are keen to improve this package for the benefit of the community, please feel free to contact the author with any suggestions and feedback.
File Snapshot

 [4.0K]  /data/pocs/7aea621b8abe4c183937b71bd8ffb3b7b5bd6969
├── [ 210]  bro-pkg.meta
├── [1.5K]  LICENSE
├── [1.2K]  README.md
├── [4.0K]  scripts
│   ├── [2.4K]  CVE-2020-16898.zeek
│   └── [  23]  __load__.zeek
├── [4.0K]  testing
│   ├── [4.0K]  Baseline
│   │   └── [4.0K]  CVE-2020-16898.pi3_poc
│   │       └── [1.5K]  notice.log
│   ├── [ 567]  btest.cfg
│   ├── [4.0K]  CVE-2020-16898
│   │   ├── [ 196]  6in4-linklocal-hlimit-less255
│   │   ├── [ 178]  ipv6-neighbor-discovery
│   │   ├── [ 200]  ipv6-router-advertisement-leaving
│   │   ├── [ 147]  pi3_poc
│   │   └── [ 144]  RS-RA
│   ├── [4.0K]  Files
│   │   └── [ 192]  random.seed
│   ├── [  28]  Makefile
│   ├── [4.0K]  Scripts
│   │   ├── [ 383]  diff-remove-timestamps
│   │   └── [1.3K]  get-zeek-env
│   └── [4.0K]  Traces
│       ├── [ 444]  6in4-linklocal-hlimit-less255.pcapng.cap
│       ├── [ 424]  ipv6-neighbor-discovery.pcap
│       ├── [ 544]  ipv6-router-advertisement-leaving.pcapng
│       ├── [2.9K]  pi3_poc.pcap
│       └── [ 828]  RS-RA.pcapng
└── [ 211]  zkg.meta

8 directories, 22 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →