-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add CVE-2021-31166 DoS Module #16284
Add CVE-2021-31166 DoS Module #16284
Conversation
@mauricelambert This appears to be a PoC for CVE-2021-31166, not for CVE-2022-21907 as mentioned at https://isc.sans.edu/diary/28234. In https://isc.sans.edu/diary/28234 we can see the new vuln is related to the trailer feature, not the Accept-Encoding header that CVE-2021-31166 was originally related to. Therefore I don't think we should be accepting this as a CVE-2022-21907 exploit and I would also question if this has been tested against a machine that has been patched for CVE-2021-31166 but not for CVE-2022-21907. This a common mistake others have made and has lead to much confusion over the last month. As far as I am aware there has been no public PoC for CVE-2022-21907 however if one did exist it should use the |
Thanks for the analysis. Indeed you are right my system is not patched, therefore I modified the name of the CVE and the documentation. I will try to mount a system vulnerable to CVE-2022-21907 and try to find a working exploit (I am not a Microsoft/Windows expert, it is unlikely that I will find it). |
documentation/modules/auxiliary/dos/windows/http/rb_dos_iis_2021_31166.md
Outdated
Show resolved
Hide resolved
documentation/modules/auxiliary/dos/windows/http/rb_dos_iis_2021_31166.md
Outdated
Show resolved
Hide resolved
documentation/modules/auxiliary/dos/windows/http/rb_dos_iis_2021_31166.md
Outdated
Show resolved
Hide resolved
documentation/modules/auxiliary/dos/windows/http/rb_dos_iis_2021_31166.md
Outdated
Show resolved
Hide resolved
documentation/modules/auxiliary/dos/windows/http/rb_dos_iis_2021_31166.md
Outdated
Show resolved
Hide resolved
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools. We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:
You can automate most of these changes with the
Please update your branch after these have been made, and reach out if you have any problems. |
documentation/modules/auxiliary/dos/windows/http/rb_dos_iis_2021_31166.md
Outdated
Show resolved
Hide resolved
documentation/modules/auxiliary/dos/windows/http/rb_dos_iis_2021_31166.md
Outdated
Show resolved
Hide resolved
|
||
## Scenarios | ||
|
||
```text |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
```text | |
### Windows XXX running IIS XXX with <MONTH> <YEAR> Patches | |
```text | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will add the configuration of my Virtual Machine. I print it in the demonstration (gif in the documentation) but gif is too big to be loaded in the markdown.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doesn't look like this was updated @mauricelambert?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you want me to add the version and patch like this:
Windows 10 20H2 19042.804 running IIS with November 22, 2021 Patches (KB5007253)
Thanks for commits, i worked on the description but it less detailed than yours.
LGTM and tested this successfully. Thanks @mauricelambert! Will land this once tests pass. |
Release NotesA new module has been added that exploits CVE-2021-31166, a UAF bug in |
Verification
List the steps needed to make sure this thing works
msfconsole
use exploit/windows/iis/rb_dos_iis_2021_31166
set RHOST <ip>
exploit
Output