Deniz Adrian zined

## 20200114-TLP-WHITE_CVE-2020-0601.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                zined
                / 20200114-TLP-WHITE_CVE-2020-0601.md
            
            
              Created
              January 16, 2020 18:01
                — forked from SwitHak/20200114-TLP-WHITE_CVE-2020-0601.md
            
              
                BlueTeam CheatSheet * CVE-2020-0601 * crypt32.dll | Last updated: 2020-01-16 1758 UTC
              
          
    CVE-2020-0601 AKA ChainOfFools

General


Microsoft disclosed a vulnerability in their monthly Patch Tuesday referenced under CVE-2020-0601.
The vulnerability was discovered by the U.S. National Security Agency, anounced today (2020-01-14) in their press conference,  followed by a blog post and an official security advisory.
The flaw is located in the "CRYPT32.DLL" file under the C:\Windows\System32\ directory.

Vulnerability explanation


NSA description:
NSA has discovered a critical vulnerability (CVE-2020-0601) affecting Microsoft Windows® cryptographic functionality.


## Insomnihack_Teaser_2017_winworld_exploit.py
# Insomni'hack Teaser 2017 "winworld" task exploit
#
# Author:    Mateusz "j00ru" Jurczyk
# Date:      21 January 2017
#
import os
import random
import string
import sys
import struct

## get_aws_saml_token.sh
curl https://youradfsserver.com.au/adfs/services/trust/13/usernamemixed --data @aws_saml_request.xml -H "Content-Type: application/soap+xml"  --verbose -o "saml.xml"

## aws_saml_request.xml
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
            xmlns:a="http://www.w3.org/2005/08/addressing"
            xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
  <s:Header>
    <a:Action s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</a:Action>
    <a:To s:mustUnderstand="1">https://youradfsserver.com.au/adfs/services/trust/13/usernamemixed</a:To>
    <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <o:UsernameToken u:Id="uuid-6a13a244-dac6-42c1-84c5-cbb345b0c4c4-1">
        <o:Username>user@domain.com.au</o:Username>
        <o:Password>password</o:Password>
	# Insomni'hack Teaser 2017 "winworld" task exploit
	#
	# Author: Mateusz "j00ru" Jurczyk
	# Date: 21 January 2017
	#
	import os
	import random
	import string
	import sys
	import struct
	<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
	xmlns:a="http://www.w3.org/2005/08/addressing"
	xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
	<s:Header>
	<a:Action s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</a:Action>
	<a:To s:mustUnderstand="1">https://youradfsserver.com.au/adfs/services/trust/13/usernamemixed</a:To>
	<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
	<o:UsernameToken u:Id="uuid-6a13a244-dac6-42c1-84c5-cbb345b0c4c4-1">
	<o:Username>user@domain.com.au</o:Username>
	<o:Password>password</o:Password>