Proof of concept for CVE-2021-24086, a NULL dereference in tcpip.sys triggered remotely.

Overview

CVE-2021-24086

This is a proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability "), a NULL dereference in tcpip.sys patched by Microsoft in February 2021. According to this tweet, the vulnerability has been found by @piazzt. It is triggerable remotely by sending malicious UDP packet over IPv6.

trigger

You can read Microsoft's blog here: Multiple Security Updates Affecting TCP/IP:  CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086. It discusses briefly the impact and workaround/mitigations.

A more in-depth discussion about the root-cause is available on doar-e.github.io: Reverse-engineering tcpip.sys: mechanics of a packet of the death (CVE-2021-24086).

doare

Running the PoC

Run the cve-2021-24086.py script; it requires Scapy:

over@bubuntu:~$ sudo python3 cve-2021-24086.py
66 fragments, total size 0xfff8
..................................................................
Sent 66 packets.
.
Sent 1 packets.

Authors

You might also like...
A Proof-Of-Concept for the recently found CVE-2021-44228 vulnerability
A Proof-Of-Concept for the recently found CVE-2021-44228 vulnerability

log4j-shell-poc A Proof-Of-Concept for the recently found CVE-2021-44228 vulnerability. Recently there was a new vulnerability in log4j, a java loggin

Log4Shell Proof of Concept (CVE-2021-44228)
Log4Shell Proof of Concept (CVE-2021-44228)

CVE-2021-44228 Log4Shell Proof of Concept (CVE-2021-44228) Make sure to use Java 8 JDK. Java 8 Download Images Credits Casey Dunham - Java Reverse She

Spring4Shell Proof Of Concept/And vulnerable application CVE-2022-22965
Spring4Shell Proof Of Concept/And vulnerable application CVE-2022-22965

Spring4Shell-POC (CVE-2022-22965) Spring4Shell (CVE-2022-22965) Proof Of Concept/Information + A vulnerable Tomcat server with a vulnerable spring4she

Ingest GreyNoise.io malicious feed for CVE-2021-44228 and apply null routes

log4j-nullroute Quick script to ingest IP feed from greynoise.io for log4j (CVE-2021-44228) and null route bad addresses. Works w/Cisco IOS-XE and Ari

DNSpooq - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685)
DNSpooq - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685)

dnspooq DNSpooq PoC - dnsmasq cache poisoning (CVE-2020-25686, CVE-2020-25684, CVE-2020-25685) For educational purposes only Requirements Docker compo

Proof-of-concept obfuscation toolkit for C# post-exploitation tools
Proof-of-concept obfuscation toolkit for C# post-exploitation tools

InvisibilityCloak Proof-of-concept obfuscation toolkit for C# post-exploitation tools. This will perform the below actions for a C# visual studio proj

Python-based proof-of-concept tool for generating payloads that utilize unsafe Java object deserialization.

Python-based proof-of-concept tool for generating payloads that utilize unsafe Java object deserialization.

This is a partial and quick and dirty proof of concept implementation of the following specifications to configure a tor client to use trusted exit relays only.

This is a partial and quick and dirty proof of concept implementation of the following specifications to configure a tor client to use trusted exit re

Proof of concept GnuCash Webinterface

Proof of Concept GnuCash Webinterface This may one day be a something truly great. Milestones [ ] Browse accounts and view transactions [ ] Record sim

Comments
  • Getting this error

    Getting this error

    66 fragments, total size 0xfff8 Traceback (most recent call last): File "/home/yomist/Downloads/CVE-2021-24086-main/cve-2021-24086.py", line 388, in main() File "/home/yomist/Downloads/CVE-2021-24086-main/cve-2021-24086.py", line 384, in main pull_the_trigger(args) File "/home/yomist/Downloads/CVE-2021-24086-main/cve-2021-24086.py", line 370, in pull_the_trigger sendp(frags, iface= args.iface) File "/usr/lib/python3/dist-packages/scapy/sendrecv.py", line 376, in sendp socket = socket or conf.L2socket(iface=iface, *args, **kargs) File "/usr/lib/python3/dist-packages/scapy/arch/linux.py", line 411, in init set_promisc(self.ins, self.iface) File "/usr/lib/python3/dist-packages/scapy/arch/linux.py", line 147, in set_promisc mreq = struct.pack("IHH8s", get_if_index(iff), PACKET_MR_PROMISC, 0, b"") File "/usr/lib/python3/dist-packages/scapy/arch/linux.py", line 360, in get_if_index return int(struct.unpack("I", get_if(iff, SIOCGIFINDEX)[16:20])[0]) File "/usr/lib/python3/dist-packages/scapy/arch/common.py", line 31, in get_if return ioctl(sck, cmd, struct.pack("16s16x", iff.encode("utf8"))) OSError: [Errno 19] No such device

    Even after installing scapy and all got this error

    opened by yomighty 5
  • pthon error

    pthon error

    C:\Users\Administrator>D:\git\Vulnerability\CVE\CVE-2021-24086\cve-2021-24086-2.py Traceback (most recent call last): File "D:\git\Vulnerability\CVE\CVE-2021-24086\cve-2021-24086-2.py", line 3, in from scapy.all import * ImportError: No module named scapy.all

    C:\Users\Administrator>C:\Users\Administrator\AppData\Local\Programs\Python\Python39\python.exe D:\git\Vulnerability\CVE\CVE-2021-24086\cve-2021-24086.py Traceback (most recent call last): File "D:\git\Vulnerability\CVE\CVE-2021-24086\cve-2021-24086.py", line 2, in from scapy.all import * ModuleNotFoundError: No module named 'scapy'

    C:\Users\Administrator>

    opened by kouzhudong 5
Owner
Axel Souchet
Axel Souchet
IP Denial of Service Vulnerability ")A proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability ")

CVE-2021-24086 This is a proof of concept for CVE-2021-24086 ("Windows TCP/IP Denial of Service Vulnerability "), a NULL dereference in tcpip.sys patc

Carry 1 Nov 25, 2021
Proof of concept of CVE-2022-21907 Double Free in http.sys driver, triggering a kernel crash on IIS servers

CVE-2022-21907 - Double Free in http.sys driver Summary An unauthenticated attacker can send an HTTP request with an "Accept-Encoding" HTTP request he

Podalirius 71 Dec 22, 2022
ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065)

ExProlog ProxyLogon Full Exploit Chain PoC (CVE-2021–26855, CVE-2021–26857, CVE-2021–26858, CVE-2021–27065) Usage: exprolog.py [OPTIONS] ExProlog -

Herwono W. Wijaya 130 Dec 15, 2022
Proof of Concept Exploit for vCenter CVE-2021-21972

CVE-2021-21972 Proof of Concept Exploit for vCenter CVE-2021-21972

Horizon 3 AI Inc 210 Dec 31, 2022
Proof on Concept Exploit for CVE-2021-38647 (OMIGOD)

OMIGOD Proof on Concept Exploit for CVE-2021-38647 (OMIGOD) For background information and context, read the our blog post detailing this vulnerabilit

Horizon 3 AI Inc 231 Nov 12, 2022
Proof of concept to check if hosts are vulnerable to CVE-2021-41773

CVE-2021-41773 PoC Proof of concept to check if hosts are vulnerable to CVE-2021-41773. Description (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CV

Jordan Jay 43 Nov 9, 2022
Proof of Concept Exploit for ManageEngine ServiceDesk Plus CVE-2021-44077

CVE-2021-44077 Proof of Concept Exploit for CVE-2021-44077: PreAuth RCE in ManageEngine ServiceDesk Plus < 11306 Based on: https://xz.aliyun.com/t/106

Horizon 3 AI Inc 25 Nov 9, 2022
This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798).

CVE-2021-43798 – Grafana Exploit About This is a proof-of-concept exploit for Grafana's Unauthorized Arbitrary File Read Vulnerability (CVE-2021-43798

Pedro Havay 12 Nov 18, 2022
A proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228)

CVE-2021-44228 – Log4j RCE Unauthenticated About This is a proof-of-concept exploit for Log4j RCE Unauthenticated (CVE-2021-44228). This vulnerability

Pedro Havay 20 Nov 11, 2022