Proof of concept of CVE-2022-21907 Double Free in http.sys driver, triggering a kernel crash on IIS servers

Related tags

Security related resourcespythoncrashpocrceiis-servercve-2022-21907
Overview

CVE-2022-21907 - Double Free in http.sys driver

GitHub release (latest by date)

Summary

An unauthenticated attacker can send an HTTP request with an "Accept-Encoding" HTTP request header triggering a double free in the unknown coding-list inside the HTTP Protocol Stack (http.sys) to process packets, resulting in a kernel crash.

Vulnerable systems

  • Windows Server 2019 and Windows 10 version 1809:
    • Not vulnerable by default. Unless you have set the HTTP Trailer Support to EnableTrailerSupport in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters\, the systems are not vulnerable.
  • Windows 10 version 2004 (build 19041.450):
    • ✔️ Vulnerable

You can find the http.sys driver of Windows 10 version 2004 (build 19041.450) here:

Patch status Driver
Before patch ./ressources/drivers_before_update/C/Windows/System32/drivers/http.sys
After patch ./ressources/drivers_after_update/C/Windows/System32/drivers/http.sys

Demonstration

poc_cve-2022-01-18_12.35.35.mp4

Usage

$ ./CVE-2022-21907_http.sys_crash.py -h
usage: CVE-2022-21907_http.sys_crash.py [-h] -t TARGET [-v]

Description message

optional arguments:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        Target IIS Server.
  -v, --verbose         Verbose mode. (default: False)

Call graph at the moment of the crash

Call graph:

STACK_TEXT:
ffffca0d`46cdf158 fffff800`4a1efe29 : 00000000`00000139 00000000`00000003 ffffca0d`46cdf480 ffffca0d`46cdf3d8 : nt!KeBugCheckEx
ffffca0d`46cdf160 fffff800`4a1f0250 : 00000000`00001000 ffffca0d`46cdf4a0 fffff800`4aa4ef00 00000000`00000000 : nt!KiBugCheckDispatch+0x69
ffffca0d`46cdf2a0 fffff800`4a1ee5e3 : 00000000`00000000 00000000`00000002 00000000`c0000225 01b00030`4a1ec14c : nt!KiFastFailDispatch+0xd0
ffffca0d`46cdf480 fffff800`4707f537 : 00000000`00000010 00000000`00010202 ffffca0d`46cdf638 00000000`00000018 : nt!KiRaiseSecurityCheckFailure+0x323
ffffca0d`46cdf610 fffff800`47036ac5 : ffff930c`202efef9 ffffca0d`00000001 ffffca0d`46cdf694 00000000`00000000 : HTTP!UlFreeUnknownCodingList+0x63
ffffca0d`46cdf640 fffff800`4700d191 : ffff70ca`b45420d8 ffffca0d`46cdf819 00000000`00000010 fffff800`4700d140 : HTTP!UlpParseAcceptEncoding+0x298f5
ffffca0d`46cdf730 fffff800`46fe9368 : fffff800`46fb46e0 ffffca0d`46cdf819 ffff930c`210ca050 00000000`00000000 : HTTP!UlAcceptEncodingHeaderHandler+0x51
ffffca0d`46cdf780 fffff800`46fe8a47 : ffffca0d`46cdf8e8 00000000`00000004 00000000`00000000 00000000`00000010 : HTTP!UlParseHeader+0x218
ffffca0d`46cdf880 fffff800`46f44c5f : ffff930c`19c16228 ffff930c`19c16010 ffffca0d`46cdfa79 00000000`00000000 : HTTP!UlParseHttp+0xac7
ffffca0d`46cdf9e0 fffff800`46f4490a : fffff800`46f44760 ffff930c`202efcf0 00000000`00000000 00000000`00000001 : HTTP!UlpParseNextRequest+0x1ff
ffffca0d`46cdfae0 fffff800`46fe4852 : fffff800`46f44760 fffff800`46f44760 00000000`00000001 00000000`00000000 : HTTP!UlpHandleRequest+0x1aa
ffffca0d`46cdfb80 fffff800`4a146745 : ffff930c`19c16090 fffff800`46fb5f80 00000000`00000284 00000000`00000000 : HTTP!UlpThreadPoolWorker+0x112
ffffca0d`46cdfc10 fffff800`4a1e5598 : ffffa580`1afc0180 ffff930c`1eec0040 fffff800`4a1466f0 00000000`00000246 : nt!PspSystemThreadStartup+0x55
ffffca0d`46cdfc60 00000000`00000000 : ffffca0d`46ce0000 ffffca0d`46cda000 00000000`00000000 00000000`00000000 : nt!KiStartSystemThread+0x28

Function call graph:

 ───> nt!KiStartSystemThread+0x28
 │    ├──> nt!PspSystemThreadStartup+0x55
 │    │    ├──> HTTP!UlpThreadPoolWorker+0x112
 │    │    │    ├──> HTTP!UlpHandleRequest+0x1aa
 │    │    │    │    ├──> HTTP!UlpParseNextRequest+0x1ff
 │    │    │    │    │    ├──> HTTP!UlParseHttp+0xac7
 │    │    │    │    │    │    ├──> HTTP!UlParseHeader+0x218
 │    │    │    │    │    │    │    ├──> HTTP!UlAcceptEncodingHeaderHandler+0x51
 │    │    │    │    │    │    │    │    ├──> HTTP!UlpParseAcceptEncoding+0x298f5
 │    │    │    │    │    │    │    │    │    ├──> HTTP!UlFreeUnknownCodingList+0x63
 │    │    │    │    │    │    │    │    │    │    ├──> nt!KiRaiseSecurityCheckFailure+0x323
 │    │    │    │    │    │    │    │    │    │    │    ├──> nt!KiFastFailDispatch+0xd0
 │    │    │    │    │    │    │    │    │    │    │    │    ├──> nt!KiBugCheckDispatch+0x69
 │    │    │    │    │    │    │    │    │    │    │    │    │    └──> nt!KeBugCheckEx

References

You might also like...
Proof of concept to check if hosts are vulnerable to CVE-2021-41773

CVE-2021-41773 PoC Proof of concept to check if hosts are vulnerable to CVE-2021-41773. Description (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CV

Jordan Jay 43 Nov 9, 2022
Proof of Concept Exploit for ManageEngine ServiceDesk Plus CVE-2021-44077
Proof of Concept Exploit for ManageEngine ServiceDesk Plus CVE-2021-44077

CVE-2021-44077 Proof of Concept Exploit for CVE-2021-44077: PreAuth RCE in ManageEngine ServiceDesk Plus 11306 Based on: https://xz.aliyun.com/t/106

Horizon 3 AI Inc 25 Nov 9, 2022
This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798).
This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798).

CVE-2021-43798 – Grafana Exploit About This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798

Pedro Havay 12 Nov 18, 2022
A proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228)
A proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228)

CVE-2021-44228 – Log4j RCE Unauthenticated About This is a proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228). This vulnerability

Pedro Havay 20 Nov 11, 2022
A Proof-Of-Concept for the recently found CVE-2021-44228 vulnerability
A Proof-Of-Concept for the recently found CVE-2021-44228 vulnerability

log4j-shell-poc A Proof-Of-Concept for the recently found CVE-2021-44228 vulnerability. Recently there was a new vulnerability in log4j, a java loggin

koz 1.5k Jan 4, 2023
Log4Shell Proof of Concept (CVE-2021-44228)
Log4Shell Proof of Concept (CVE-2021-44228)

CVE-2021-44228 Log4Shell Proof of Concept (CVE-2021-44228) Make sure to use Java 8 JDK. Java 8 Download Images Credits Casey Dunham - Java Reverse She

Kr0ff 3 Jul 23, 2022
How to exploit a double free vulnerability in 2021. 'Use-After-Free for Dummies'
How to exploit a double free vulnerability in 2021. 'Use-After-Free for Dummies'

This bug doesn’t exist on x86: Exploiting an ARM-only race condition How to exploit a double free and get a shell. "Use-After-Free for dummies" In thi

Stephen Tong 1.2k Dec 25, 2022
CVE-2022-22536 - SAP memory pipes(MPI) desynchronization vulnerability CVE-2022-22536

CVE-2022-22536 SAP memory pipes desynchronization vulnerability(MPI) CVE-2022-22

antx 49 Nov 9, 2022
Cve-2022-23131 - Cve-2022-23131 zabbix-saml-bypass-exp
Cve-2022-23131 - Cve-2022-23131 zabbix-saml-bypass-exp

cve-2022-23131 cve-2022-23131 zabbix-saml-bypass-exp replace [zbx_signed_session

东方有鱼名为咸 135 Dec 14, 2022
Releases(1.1)
Owner
Podalirius
Hacker of everything
Podalirius
GitHub Repository https://podalirius.net/
Open-source keylogger write in python

Python open-source keylogger Language Python open-source keylogger using pynput module Using Install dependences in archive setup.py or install.sh in

Dio brando 4 Jan 15, 2022
CVE-2021-45232-RCE-多线程批量漏洞检测

CVE-2021-45232-RCE CVE-2021-45232-RCE-多线程批量漏洞检测 FOFA 查询 title="Apache APISIX Das

孤桜懶契 36 Sep 21, 2022
The RDT protocol (RDT3.0,GBN,SR) implementation and performance evaluation code using socket

소켓을 이용한 RDT protocols (RDT3.0,GBN,SR) 구현 및 성능 평가 코드 입니다. 코드를 실행할때 리시버를 먼저 실행하세요. 성능 평가 코드는 패킷 전송 과정을 제외하고 시간당 전송률을 출력합니다. RDT3.0 GBN SR(버그 발견으로 구현중 입니

kimtaeyong98 0 Dec 20, 2021
A proxy server application written in python for trial purposes

python-proxy-server This is a proxy server ❤️ application written in python ❤️ for trial purposes. The purpose of the application; Connecting to Hacke

Ali Kasimoglu 2 Dec 27, 2021
BoobSnail allows generating Excel 4.0 XLM macro. Its purpose is to support the RedTeam and BlueTeam in XLM macro generation.

Follow us on Twitter! BoobSnail BoobSnail allows generating XLM (Excel 4.0) macro. Its purpose is to support the RedTeam and BlueTeam in XLM macro gen

STM Cyber 232 Nov 21, 2022
Fast Fb Cracking Tool

fb-brute Fast Fb Cracking Tool 🏆

Aryan 8 Jun 29, 2022
🍉一款基于Python-Django的多功能Web安全渗透测试工具,包含漏洞扫描,端口扫描,指纹识别,目录扫描,旁站扫描,域名扫描等功能。

Sec-Tools 项目介绍 系统简介 本项目命名为Sec-Tools,是一款基于 Python-Django 的在线多功能 Web 应用渗透测试系统,包含漏洞检测、目录识别、端口扫描、指纹识别、域名探测、旁站探测、信息泄露检测等功能。本系统通过旁站探测和域名探测功能对待检测网站进行资产收集,通过端

简简 300 Jan 07, 2023
NEW FACEBOOK CLONER WITH NEW PASSWORD, TERMUX FB CLONE, FB CLONING COMMAND. M

NEW FACEBOOK CLONER WITH NEW PASSWORD, TERMUX FB CLONE, FB CLONING COMMAND. M

Mr. Error 81 Jan 08, 2023
Script Crack Facebook Premium 🚶‍♂

premium Script Crack Facebook Premium 🚶‍♂ In Script Install Script $ pkg update && pkg upgrade $ termux-setup-storage $ pkg install python $ pkg inst

Yumasaa 2 Dec 19, 2021
Scans all drives for log4j jar files and gets their version from the manifest

log4shell_scanner Scans all drives for log4j jar files and gets their version from the manifest. Windows and Windows Server only.

Zdeněk Loučka 1 Dec 29, 2021
A Radare2 based Python module for Binary Analysis and Reverse Engineering.

Zepu1chr3 A Radare2 based Python module for Binary Analysis and Reverse Engineering. Installation You can simply run this command. pip3 install zepu1c

Mehmet Ali KERİMOĞLU 5 Aug 25, 2022
KeyLogger

By-Emirhan KeyLogger Hangi Sistemlerde Çalışır? | On Which Systems Does It Work? KALİ LİNUX UBUNTU PARDUS MİNT TERMUX ARCH YÜKLEME & ÇALIŞTIRMA KOMUTL

2 Feb 24, 2022
Raphael is a vulnerability scanning tool based on Python3.

Raphael Raphael是一款基于Python3开发的插件式漏洞扫描工具。 Raphael is a vulnerability scanning too

b4zinga 5 Mar 21, 2022
带回显版本的漏洞利用脚本

CVE-2021-21978 带回显版本的漏洞利用脚本,更简单的方式 0. 漏洞信息 VMware View Planner Web管理界面存在一个上传日志功能文件的入口,没有进行认证且写入的日志文件路径用户可控,通过覆盖上传日志功能文件log_upload_wsgi.py,即可实现RCE 漏洞代码

3ky7in4 24 Nov 09, 2022
This tool allows to automatically test for Content Security Policy bypass payloads.

CSPass This tool allows to automatically test for Content Security Policy bypass payloads. Usage [cspass]$ ./cspass.py -h usage: cspass.py [-h] [--no-

Ruulian 30 Nov 22, 2022
Just another script for automatize boolean-based blind SQL injections.

SQL Blind Injection Tool A script for automatize boolean-based blind SQL injections. Works with SQLite at least, supports using cookies. It uses bitwi

RIM 51 Dec 15, 2022
Cowrie SSH/Telnet Honeypot https://cowrie.readthedocs.io

Cowrie Welcome to the Cowrie GitHub repository This is the official repository for the Cowrie SSH and Telnet Honeypot effort. What is Cowrie Cowrie is

Cowrie 4.1k Jan 09, 2023
FBGen is simple facebook user based wordlist generator using Username/ID and cookie.

FBGen is simple facebook user based wordlist generator using Username/ID and cookie.

2 Jul 20, 2022
Multi-Process Vulnerability Tool

Multi-Process Vulnerability Tool

Baris Dincer 1 Dec 22, 2021
HatSploit collection of generic payloads designed to provide a wide range of attacks without having to spend time writing new ones.

HatSploit collection of generic payloads designed to provide a wide range of attacks without having to spend time writing new ones.

EntySec 5 May 10, 2022