0vercl0k/CVE-2021-31166 0vercl0k/CVE-2021-31166

  • This repository has been archived on 27/Dec/2023
  • Stars
    star
    823
  • Rank 53,367 (Top 2 %)
  • Language
    Python
  • License
    MIT License
  • Created about 3 years ago
  • Updated almost 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
0vercl0k/CVE-2021-31166
github

0vercl0k

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Proof of concept for CVE-2021-31166, a remote HTTP.sys use-after-free triggered remotely.

CVE-2021-31166: HTTP Protocol Stack Remote Code Execution Vulnerability

This is a proof of concept for CVE-2021-31166 ("HTTP Protocol Stack Remote Code Execution Vulnerability"), a use-after-free dereference in http.sys patched by Microsoft in May 2021. According to this tweet the vulnerability has been found by @_mxms and @fzzyhd1.

trigger

The bug itself happens in http!UlpParseContentCoding where the function has a local LIST_ENTRY and appends item to it. When it's done, it moves it into the Request structure; but it doesn't NULL out the local list. The issue with that is that an attacker can trigger a code-path that frees every entries of the local list leaving them dangling in the Request object.

rel04vsrel05

Here is the bugcheck:

KDTARGET: Refreshing KD connection

*** Fatal System Error: 0x00000139
                       (0x0000000000000003,0xFFFFF90EA867EE40,0xFFFFF90EA867ED98,0x0000000000000000)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

nt!DbgBreakPointWithStatus:
fffff804`19410c50 cc              int     3

kd> kp
 # Child-SP          RetAddr               Call Site
00 fffff90e`a867e368 fffff804`19525382     nt!DbgBreakPointWithStatus
01 fffff90e`a867e370 fffff804`19524966     nt!KiBugCheckDebugBreak+0x12
02 fffff90e`a867e3d0 fffff804`19408eb7     nt!KeBugCheck2+0x946
03 fffff90e`a867eae0 fffff804`1941ad69     nt!KeBugCheckEx+0x107
04 fffff90e`a867eb20 fffff804`1941b190     nt!KiBugCheckDispatch+0x69
05 fffff90e`a867ec60 fffff804`19419523     nt!KiFastFailDispatch+0xd0
06 fffff90e`a867ee40 fffff804`1db3f677     nt!KiRaiseSecurityCheckFailure+0x323
07 fffff90e`a867efd0 fffff804`1daf6c05     HTTP!UlFreeUnknownCodingList+0x63
08 fffff90e`a867f000 fffff804`1dacd201     HTTP!UlpParseAcceptEncoding+0x299c5
09 fffff90e`a867f0f0 fffff804`1daa93d8     HTTP!UlAcceptEncodingHeaderHandler+0x51
0a fffff90e`a867f140 fffff804`1daa8ab7     HTTP!UlParseHeader+0x218
0b fffff90e`a867f240 fffff804`1da04c5f     HTTP!UlParseHttp+0xac7
0c fffff90e`a867f3a0 fffff804`1da0490a     HTTP!UlpParseNextRequest+0x1ff
0d fffff90e`a867f4a0 fffff804`1daa48c2     HTTP!UlpHandleRequest+0x1aa
0e fffff90e`a867f540 fffff804`1932ae85     HTTP!UlpThreadPoolWorker+0x112
0f fffff90e`a867f5d0 fffff804`19410408     nt!PspSystemThreadStartup+0x55
10 fffff90e`a867f620 00000000`00000000     nt!KiStartSystemThread+0x28

kd> !analyze -v
[...]
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: fffff90ea867ee40, Address of the trap frame for the exception that caused the BugCheck
Arg3: fffff90ea867ed98, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved

Frequently Asked Questions

Q: Is Windows Remote Management (WinRM) affected?

Yes (thanks to @JimDinMN for sharing his experiments).

Q: Is Web Services on Devices (WSDAPI) affected?

Yes (thanks to @HenkPoley for sharing his results).

Q: What are the affected versions of Windows?

According to Microsoft's documentation, here are the affected platforms:

  • Windows Server, version 2004 (or 20H1) (Server Core installation),
  • Windows 10 Version 2004 (or 20H1) for ARM64/x64/32-bit Systems,
  • Windows Server, version 20H2 (Server Core Installation),
  • Windows 10 Version 20H2 for ARM64/x64/32-bit Systems.

More Repositories

1

rp

rp++ is a fast C++ ROP gadget finder for PE/ELF/Mach-O x86/x64/ARM/ARM64 binaries.
C++
1,722
star
2

wtf

wtf is a distributed, code-coverage guided, customizable, cross-platform snapshot-based fuzzer designed for attacking user and / or kernel-mode targets running on Microsoft Windows and Linux user-mode (experimental!).
C++
1,351
star
3

CVE-2019-11708

Full exploit chain (CVE-2019-11708 & CVE-2019-9810) against Firefox on Windows 64-bit.
JavaScript
615
star
4

stuffz

Basically a script thrift shop
C
584
star
5

CVE-2022-21971

PoC for CVE-2022-21971 "Windows Runtime Remote Code Execution Vulnerability"
Rich Text Format
303
star
6

clairvoyance

Visualize the virtual address space of a Windows process on a Hilbert curve.
C++
290
star
7

windbg-scripts

A bunch of JavaScript extensions for WinDbg.
JavaScript
286
star
8

z3-playground

A repository to store Z3-python scripts you can use as examples, reminders, whatever.
Python
273
star
9

CVE-2019-9810

Exploit for CVE-2019-9810 Firefox on Windows 64-bit.
JavaScript
227
star
10

CVE-2021-24086

Proof of concept for CVE-2021-24086, a NULL dereference in tcpip.sys triggered remotely.
Python
225
star
11

CVE-2021-28476

PoC for CVE-2021-28476 a guest-to-host "Hyper-V Remote Code Execution Vulnerability" in vmswitch.sys.
C
212
star
12

kdmp-parser

A Windows kernel dump C++ parser library with Python 3 bindings.
C++
181
star
13

udmp-parser

A Cross-Platform C++ parser library for Windows user minidumps with Python 3 bindings.
C++
172
star
14

blazefox

Blazefox exploits for Windows 10 RS5 64-bit.
C++
147
star
15

symbolizer

A fast execution trace symbolizer for Windows.
C++
130
star
16

zenith

Zenith exploits a memory corruption vulnerability in the NetUSB driver to get remote-code execution on the TP-Link Archer C7 V5 router for Pwn2Own Austin 2021.
Python
123
star
17

sic

Enumerate user mode shared memory mappings on Windows.
C
112
star
18

ollydbg2-python

Scripting OllyDBG2 using Python is now possible!
C++
108
star
19

rp-bf.rs

rp-bf: A library to bruteforce ROP gadgets by emulating a Windows user-mode crash-dump
Rust
108
star
20

snapshot

WinDbg extension written in Rust to dump the CPU / memory state of a running VM
Rust
91
star
21

paracosme

Paracosme is a zero-click remote memory corruption exploit that compromises ICONICS Genesis64 which was demonstrated successfully on stage during the Pwn2Own Miami 2022 competition.
Python
84
star
22

fuzzing-ida75

Repository of the findings found by wtf when fuzzing IDA75.
83
star
23

CVE-2022-28281

PoC for CVE-2022-28281 a Mozilla Firefox Out of bounds write.
HTML
74
star
24

pywinhv

Python bindings for the Microsoft Hypervisor Platform APIs.
Python
66
star
25

CVE-2022-21974

PoC for CVE-2022-21974 "Roaming Security Rights Management Services Remote Code Execution Vulnerability"
Rich Text Format
60
star
26

lockmem

This utility allows you to lock every available memory regions of an arbitrary process into its working set.
C++
58
star
27

CVE-2021-32537

PoC for CVE-2021-32537: an out-of-bounds memory access that leads to pool corruption in the Windows kernel.
C++
58
star
28

pwn2own2023-miami

Writeups, PoCs of the bugs I found while preparing for the Pwn2Own Miami 2023 contest targeting UaGateway from the OPC UA Server category.
C++
54
star
29

j0llyDmpr

j0llydmper is a windows service that allows you to dump furtively and automaticaly some contents of USB disks just plugged in your computer. In order to dump potentialy interesting files, you can use a rule on the file name or/and on the file size.
C
41
star
30

udmp-parser-rs

A Rust crate for parsing Windows user minidumps.
Rust
40
star
31

inject

Yet another Windows DLL injector.
C++
33
star
32

KEPaboo

Neutralize KEPServerEX anti-debugging techniques
C++
28
star
33

longue-vue

Longue vue is an exploit chain that can compromise over the internet NETGEAR DGND3700v2 devices.
JavaScript
24
star
34

kdmp-parser-rs

A KISS Rust crate to parse Windows kernel crash-dumps created by Windows & its debugger.
Rust
24
star
35

TV-Show-Downloader

Maybe you're a guy a bit like me -- who watch a lot of series -- so I guess you already know that downloading the latest episodes of all your favorites TV Shows is absolutely PAINFUL. I mean it, really. Thus, TVShow Downloader is a set of basic scripts (crontab + python script + bash script) designed to simplify my whole existence on this earth: I haven't to think about downloading my serie anymore \o/.
Python
22
star
36

teesee-calc

Visualize and compare total compensation (TC) packages over time.
HTML
10
star
37

articles

Mirror of the different PDF articles I wrote
10
star
38

0vercl0k

5
star
39

gflags-rs

Utility that lets you interact with Microsoft Windows Global Flags and particularly PageHeap, made to learn Rust
Rust
4
star
40

symbolizer-rs

A fast execution trace symbolizer for Windows that runs on all major platforms and doesn't depend on any Microsoft libraries.
Rust
4
star
41

rp2s

3
star
42

result

Simple, tiny and readable implementation of a Rust like std::result type for C++.
1
star