0vercl0k/CVE-2021-31166 0vercl0k/CVE-2021-31166

  • This repository has been archived on 27/Dec/2023
  • Stars
    star
    824
  • Rank 55,348 (Top 2 %)
  • Language
    Python
  • License
    MIT License
  • Created over 3 years ago
  • Updated over 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
0vercl0k/CVE-2021-31166
github

0vercl0k

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Proof of concept for CVE-2021-31166, a remote HTTP.sys use-after-free triggered remotely.

CVE-2021-31166: HTTP Protocol Stack Remote Code Execution Vulnerability

This is a proof of concept for CVE-2021-31166 ("HTTP Protocol Stack Remote Code Execution Vulnerability"), a use-after-free dereference in http.sys patched by Microsoft in May 2021. According to this tweet the vulnerability has been found by @_mxms and @fzzyhd1.

trigger

The bug itself happens in http!UlpParseContentCoding where the function has a local LIST_ENTRY and appends item to it. When it's done, it moves it into the Request structure; but it doesn't NULL out the local list. The issue with that is that an attacker can trigger a code-path that frees every entries of the local list leaving them dangling in the Request object.

rel04vsrel05

Here is the bugcheck:

KDTARGET: Refreshing KD connection

*** Fatal System Error: 0x00000139
                       (0x0000000000000003,0xFFFFF90EA867EE40,0xFFFFF90EA867ED98,0x0000000000000000)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

nt!DbgBreakPointWithStatus:
fffff804`19410c50 cc              int     3

kd> kp
 # Child-SP          RetAddr               Call Site
00 fffff90e`a867e368 fffff804`19525382     nt!DbgBreakPointWithStatus
01 fffff90e`a867e370 fffff804`19524966     nt!KiBugCheckDebugBreak+0x12
02 fffff90e`a867e3d0 fffff804`19408eb7     nt!KeBugCheck2+0x946
03 fffff90e`a867eae0 fffff804`1941ad69     nt!KeBugCheckEx+0x107
04 fffff90e`a867eb20 fffff804`1941b190     nt!KiBugCheckDispatch+0x69
05 fffff90e`a867ec60 fffff804`19419523     nt!KiFastFailDispatch+0xd0
06 fffff90e`a867ee40 fffff804`1db3f677     nt!KiRaiseSecurityCheckFailure+0x323
07 fffff90e`a867efd0 fffff804`1daf6c05     HTTP!UlFreeUnknownCodingList+0x63
08 fffff90e`a867f000 fffff804`1dacd201     HTTP!UlpParseAcceptEncoding+0x299c5
09 fffff90e`a867f0f0 fffff804`1daa93d8     HTTP!UlAcceptEncodingHeaderHandler+0x51
0a fffff90e`a867f140 fffff804`1daa8ab7     HTTP!UlParseHeader+0x218
0b fffff90e`a867f240 fffff804`1da04c5f     HTTP!UlParseHttp+0xac7
0c fffff90e`a867f3a0 fffff804`1da0490a     HTTP!UlpParseNextRequest+0x1ff
0d fffff90e`a867f4a0 fffff804`1daa48c2     HTTP!UlpHandleRequest+0x1aa
0e fffff90e`a867f540 fffff804`1932ae85     HTTP!UlpThreadPoolWorker+0x112
0f fffff90e`a867f5d0 fffff804`19410408     nt!PspSystemThreadStartup+0x55
10 fffff90e`a867f620 00000000`00000000     nt!KiStartSystemThread+0x28

kd> !analyze -v
[...]
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure.  The corruption
could potentially allow a malicious user to gain control of this machine.
Arguments:
Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).
Arg2: fffff90ea867ee40, Address of the trap frame for the exception that caused the BugCheck
Arg3: fffff90ea867ed98, Address of the exception record for the exception that caused the BugCheck
Arg4: 0000000000000000, Reserved

Frequently Asked Questions

Q: Is Windows Remote Management (WinRM) affected?

Yes (thanks to @JimDinMN for sharing his experiments).

Q: Is Web Services on Devices (WSDAPI) affected?

Yes (thanks to @HenkPoley for sharing his results).

Q: What are the affected versions of Windows?

According to Microsoft's documentation, here are the affected platforms:

  • Windows Server, version 2004 (or 20H1) (Server Core installation),
  • Windows 10 Version 2004 (or 20H1) for ARM64/x64/32-bit Systems,
  • Windows Server, version 20H2 (Server Core Installation),
  • Windows 10 Version 20H2 for ARM64/x64/32-bit Systems.

More Repositories

1

rp

rp++ is a fast C++ ROP gadget finder for PE/ELF/Mach-O x86/x64/ARM/ARM64 binaries.
C++
1,804
star
2

wtf

wtf is a distributed, code-coverage guided, customizable, cross-platform snapshot-based fuzzer designed for attacking user and / or kernel-mode targets running on Microsoft Windows and Linux user-mode (experimental!).
C++
1,472
star
3

CVE-2019-11708

Full exploit chain (CVE-2019-11708 & CVE-2019-9810) against Firefox on Windows 64-bit.
JavaScript
617
star
4

stuffz

Basically a script thrift shop
C
589
star
5

windbg-scripts

A bunch of JavaScript extensions for WinDbg.
JavaScript
315
star
6

CVE-2022-21971

PoC for CVE-2022-21971 "Windows Runtime Remote Code Execution Vulnerability"
Rich Text Format
306
star
7

clairvoyance

Visualize the virtual address space of a Windows process on a Hilbert curve.
C++
294
star
8

z3-playground

A repository to store Z3-python scripts you can use as examples, reminders, whatever.
Python
273
star
9

CVE-2021-24086

Proof of concept for CVE-2021-24086, a NULL dereference in tcpip.sys triggered remotely.
Python
232
star
10

CVE-2019-9810

Exploit for CVE-2019-9810 Firefox on Windows 64-bit.
JavaScript
228
star
11

CVE-2021-28476

PoC for CVE-2021-28476 a guest-to-host "Hyper-V Remote Code Execution Vulnerability" in vmswitch.sys.
C
217
star
12

udmp-parser

A Cross-Platform C++ parser library for Windows user minidumps with Python 3 bindings.
C++
193
star
13

kdmp-parser

A Windows kernel dump C++ parser library with Python 3 bindings.
C++
193
star
14

blazefox

Blazefox exploits for Windows 10 RS5 64-bit.
C++
148
star
15

symbolizer

A fast execution trace symbolizer for Windows.
C++
130
star
16

zenith

Zenith exploits a memory corruption vulnerability in the NetUSB driver to get remote-code execution on the TP-Link Archer C7 V5 router for Pwn2Own Austin 2021.
Python
121
star
17

sic

Enumerate user mode shared memory mappings on Windows.
C
114
star
18

ollydbg2-python

Scripting OllyDBG2 using Python is now possible!
C++
110
star
19

snapshot

WinDbg extension written in Rust to dump the CPU / memory state of a running VM
Rust
110
star
20

rp-bf.rs

rp-bf: A library to bruteforce ROP gadgets by emulating a Windows user-mode crash-dump
Rust
110
star
21

fuzzing-ida75

Repository of the findings found by wtf when fuzzing IDA75.
86
star
22

paracosme

Paracosme is a zero-click remote memory corruption exploit that compromises ICONICS Genesis64 which was demonstrated successfully on stage during the Pwn2Own Miami 2022 competition.
Python
86
star
23

symbolizer-rs

A fast execution trace symbolizer for Windows that runs on all major platforms and doesn't depend on any Microsoft libraries.
Rust
84
star
24

CVE-2022-28281

PoC for CVE-2022-28281 a Mozilla Firefox Out of bounds write.
HTML
74
star
25

lockmem

This utility allows you to lock every available memory regions of an arbitrary process into its working set.
C++
66
star
26

pywinhv

Python bindings for the Microsoft Hypervisor Platform APIs.
Python
66
star
27

CVE-2022-21974

PoC for CVE-2022-21974 "Roaming Security Rights Management Services Remote Code Execution Vulnerability"
Rich Text Format
58
star
28

pwn2own2023-miami

Writeups, PoCs of the bugs I found while preparing for the Pwn2Own Miami 2023 contest targeting UaGateway from the OPC UA Server category.
C++
57
star
29

CVE-2021-32537

PoC for CVE-2021-32537: an out-of-bounds memory access that leads to pool corruption in the Windows kernel.
C++
57
star
30

j0llyDmpr

j0llydmper is a windows service that allows you to dump furtively and automaticaly some contents of USB disks just plugged in your computer. In order to dump potentialy interesting files, you can use a rule on the file name or/and on the file size.
C
40
star
31

udmp-parser-rs

A Rust crate for parsing Windows user minidumps.
Rust
40
star
32

inject

Yet another Windows DLL injector.
C++
38
star
33

kdmp-parser-rs

A KISS Rust crate to parse Windows kernel crash-dumps created by Windows & its debugger.
Rust
32
star
34

KEPaboo

Neutralize KEPServerEX anti-debugging techniques
C++
31
star
35

longue-vue

Longue vue is an exploit chain that can compromise over the internet NETGEAR DGND3700v2 devices.
JavaScript
25
star
36

TV-Show-Downloader

Maybe you're a guy a bit like me -- who watch a lot of series -- so I guess you already know that downloading the latest episodes of all your favorites TV Shows is absolutely PAINFUL. I mean it, really. Thus, TVShow Downloader is a set of basic scripts (crontab + python script + bash script) designed to simplify my whole existence on this earth: I haven't to think about downloading my serie anymore \o/.
Python
21
star
37

teesee-calc

Visualize and compare total compensation (TC) packages over time.
HTML
11
star
38

dbgeng-rs

Rust binding for the dbgeng COM interfaces.
Rust
11
star
39

articles

Mirror of the different PDF articles I wrote
10
star
40

0vercl0k

5
star
41

gflags-rs

Utility that lets you interact with Microsoft Windows Global Flags and particularly PageHeap, made to learn Rust
Rust
4
star
42

addr-symbolizer-rs

A KISS Rust crate to symbolize function addresses using Windows PDB files
Rust
4
star
43

rp2s

3
star
44

result

Simple, tiny and readable implementation of a Rust like std::result type for C++.
1
star