RCE Exploit within the RPC Library (CVE-2022-26809)
# How did we do this?
Within the Windows RPC runtime, there is a library implemented named rpcrt4.dll. This runtime library is loaded into both client and server processes utilizing the RPC protocol for communication, Diving deeper into the vulnerable code in OSF_SCALL:GetCoalescedBuffer, we noticed that the integer overflow bug could lead to a heap buffer overflow, where data is copied onto a buffer that is too small to populate it. This in turn allows data to be written out of the buffer’s bounds, on the heap. When exploited, this primitive leads us to remote code execution, allowing the attacker to do anything to the victim!
# Are you going to release this to the public?
We will eventually release this, however right now, we believe that it is better to distribute this carefully and limit the release. You can buy the exploit here: https://satoshidisk.com/pay/CGIfuZ