n1xbyte / cve-2019-0708 Goto Github PK

As the title.
Thanks again.

This is only one POC which trigger the corrupt memory.
For other POC, most of them didnt even finish sending "font list pdu", and they call it a crash POC or a part of working exploit?

Nice work bro, I guess it needs more bytes in Virtual Channel PDU to cover more memory.

"Going to drop the crash PoC here Friday if there isnt one public already... Maybe the following week, depending on if the vulnerable numbers drop consistently or not.

Crash PoC on all affected platforms 32/64"

It's actually really hilarious that people nowadays doesn't even understand why you put multiple \x41 (AAAAAAAAAAAAAAAAAAA...) in a heap, lol. BTW: The thing with you did with the channum and the multiplication for the padding to make sure that the stack pointer lands on that free after use heap is absolutely genius, congratulations.

No worries, I'll not release anything but don't you think it's way more funny to see that the biggest part of the people don't have any idea about how a stack pointer works?

Hi,
your codes is hitting the vulnerable path of termdd.sys, but the 3rd parameter of the IcaBindChannel function seems to be fixed at int64(3) or int64(4) while running your codes.

According to the public informations, the 3rd parameter should be controlled if we want to exploit this bug.
Any idea?

OpenSSL.SSL.SysCallError: (104, 'ECONNRESET')

How to solve it?

I am new to Python. I reviewed the code and everything looked like it would be fine to run. I was testing against a machine I thought was vulnerable still on my network but I wasn't seeing anything happen. I got frustrated and started hitting a range on my network. Our IT help desk started getting calls from users that their computers were blue screening. I stopped the script from running but it made it to several subnets and unknown how many machines.

Can someone please help verify that there was no malware sent with the commands? I think it was only causing the blue screen issue and nothing else.

patched windows server 2008 r2
kbKB2667402
then run crashexploit.py

the host is ok
so
this fake poc!!! is NOT CVE-2019-0708 POC

This is what I get when I run it on a vulnerable system

Traceback (most recent call last): File "crashpoc.py", line 194, in <module> main(sys.argv) File "crashpoc.py", line 158, in main tls = send_init_packets(args[1]) File "crashpoc.py", line 71, in send_init_packets tls.do_handshake() File "/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line 1915, in do_handshake self._raise_ssl_error(self._ssl, result) File "/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line 1639, in _raise_ssl_error raise SysCallError(errno, errorcode.get(errno)) OpenSSL.SSL.SysCallError: (104, 'ECONNRESET')

CVE-2019-0708

How to deal with it, someone can help me

Very likely to be race condition vulnerability. Double release the resource with a null pointer.

I don't understand the channum mean what