Share
## https://sploitus.com/exploit?id=4AC9F9AD-49DE-5E6C-AEF3-BC8AF5009359
# CVE-2024-38063 — Windows IPv6 Stack Vulnerability (Analysis & PoC)

![Topic](https://img.shields.io/badge/Domain-Network%20Security-blue)
![Focus](https://img.shields.io/badge/Focus-IPv6%20Extensions-informational)
![Severity](https://img.shields.io/badge/Severity-Critical%20(CVSS%209.8)-red)

Technical analysis and Proof-of-Concept (PoC) for **CVE-2024-38063**, a critical Remote Code Execution (RCE) vulnerability in the Windows IPv6 stack (`tcpip.sys`). Discovered by KunLun Lab, this issue is *zero-click*, meaning it can be triggered by specially crafted packets without user interaction.

> **Academic context:** Final project for the “Foundations of Network Security” course.

---

## Table of Contents
- [Overview](#overview)
- [Technical Summary](#technical-summary)
- [Repository Contents](#repository-contents)
- [Lab Setup](#lab-setup)
- [PoC Logic (High-Level)](#poc-logic-high-level)
- [Usage](#usage)
- [Mitigation](#mitigation)
- [Disclaimer](#disclaimer)

---

## Overview
This repository contains:
- a structured analysis of the vulnerability,
- a PoC demonstration using Scapy,
- and full course documentation and lab instructions.

---

## Technical Summary
The core issue is an **integer underflow** in `tcpip.sys` during parsing of **IPv6 Extension Headers** within fragmented traffic.

- **Logic failure:** header length validation fails during calculation.
- **Memory corruption:** underflow leads to a buffer overflow and unsafe memory writes.
- **Impact:** potential **BSOD** and **RCE** under specific conditions.

---

## Repository Contents
- **CVE-2024-38063 Analysis.pdf** — Slides covering background, root cause, and mitigations.
- **CVE-2024-38063.py** — Scapy-based PoC script (demonstrates crash behavior).
- **WriteUP.pdf** — Full write-up, lab requirements, and execution notes.

---

## Lab Setup
To reproduce the environment in a **controlled, educational lab**:

- **Victim:** Windows 10/11 **prior to Aug 2024 patch / 24H2**, IPv6 enabled.
- **Attacker:** Linux VM with Python 3, Scapy.
- **Network:** IPv6 connectivity between both machines on the same network segment.

---

## PoC Logic (High-Level)
The PoC crafts a sequence of packets to trigger the underflow:

1. **Destination Options** with an unrecognized option type to push error-handling paths.
2. **Fragment 1** to start fragmentation and provide payload.
3. **Fragment 2** to terminate the sequence.

The script repeats these batches while varying the Hop Limit to increase the probability of encountering the vulnerable parsing path.

---

## Usage
1. Identify the target IPv6 address.
2. Update `ip_addr` and `iface` in `CVE-2024-38063.py`.
3. Run the script from the attacker machine:

```bash
pip install scapy
pip install getmac
python3 CVE-2024-38063.py
```

If the target is vulnerable, a BSOD typically occurs within 30–60 seconds as the kernel processes malformed headers.

---

## Mitigation
- **Apply security updates:** Microsoft patch (Aug 13, 2024).
- **Disable IPv6** where patching is not possible.
- **Firewall filtering:** block fragmented IPv6 packets at the perimeter.

---

## Disclaimer
This project is for **educational and research purposes only**. Unauthorized testing or access to systems you do not own or have explicit permission to assess is illegal. The authors assume no responsibility for misuse.