## https://sploitus.com/exploit?id=7359034F-3F06-521D-AB64-F205604BD325
# CVE-2022-21907
Vulnerability in HTTP Protocol Stack Enabling Remote Code Execution and Potential System Crash.
<br>
## Table of Contents
- [CVE-2022-21907](#cve-2022-21907)
- [Description](#description)
- [Environment](#environment)
- [Victim Machine Configuration](#victim-machine-configuration)
- [Attacker Machine Configuration](#attacker-machine-configuration)
- [Exploit](#exploit)
- [Proof of Concept](#proof-of-concept)
- [References](#references)
## Description
CVE-2022-21907 is a vulnerability in the HTTP Protocol Stack (http.sys) of Windows 10 that could be exploited by an attacker by sending a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack to process packets. This can lead to a denial of service (DDoS) attack, where the server becomes unresponsive or crashes.
The exploitation of this flaw could be used to disrupt services and take a Windows 10 version 2004 machine offline without the need for authentication or user interaction.
## Environment
First of all, you must have some free space in your hard disk in order to test this vulnerability (you can adjust memory allocation and also disk allocation after the installation of the VMs).
To begin testing this vulnerability, install Vagrant and VirtualBox using these links:
- [Vagrant Installation](https://developer.hashicorp.com/vagrant/install)
- [VirtualBox Installation](https://www.virtualbox.org/wiki/Downloads)
Verify that the `VBoxManage` command is functional by entering it in `CMD` or `PowerShell`. If you receive an error such as:
<span style="color:red">"The term 'VBoxManage' is not recognized as the name of a cmdlet..."</span>
Then ensure the VirtualBox path (e.g., `C:\Program Files\Oracle\VirtualBox`) is added to the System Environment Variables. Next, run the following command:
```powershell
VBoxManage natnetwork add --netname MyCustomisedNet --network "192.168.100.0/24" --enable --dhcp on
```
Clone the following repository to obtain the necessary Vagrant files:
```bash
git clone https://github.com/kamal-marouane/CVE-2022-21907.git
```
### Victim Machine Configuration
After Cloning the repo, enter to the Victim Machine directory on your machine by executing the following commands:
```bash
cd CVE-2022-21907/Victim Machine
```
In this folder you can find the `Vagranfile`, all you have to do is to execute :
```bash
vagrant up
```
<a href="https://ibb.co/N10Xwdv"><img src="https://i.ibb.co/vsNb26F/wait-for.png" alt="wait-for" border="0"></a><br /><a target='_blank' href='https://fr.imgbb.com/'></a>
And wait for the box to be downloaded and added. It takes a lot of time seeing that its size is around 5 GB (the above image is only representative).
After the installation ends, you can go to your VirtualBox and then see that `MyWindowsVul` was added and running.
<a href="https://ibb.co/hZfHmhV"><img src="https://i.ibb.co/HxdYH1q/first.png" alt="first" border="0"></a>
Click on `Show` and you can see that your `Victim Machine` is Running
<a href="https://ibb.co/kSYKCrT"><img src="https://i.ibb.co/nLhrJVy/Screenshot-2023-12-10-013708.png" alt="Screenshot-2023-12-10-013708" border="0"></a>
### Attacker Machine Configuration
Now let's configure the attacker machine, you have now to access to the Attacker Machine :
```bash
cd ../Victim Machine
```
In this folder you can find the `Vagranfile`, all you have to do is to go back to your machinea and execute :
```bash
vagrant up
```
Wait for the box to be downloaded and added and then the machine will run, Click on `Show` then you will see the Attacker machine running.
<a href="https://ibb.co/QmHX8sx"><img src="https://i.ibb.co/RH67hLJ/4.png" alt="4" border="0"></a>
Now the Machines are configured and ready to be used!
These are the username and password to access the Attacker Machine :
```yaml
username : attacker
password : att
```
<a href="https://ibb.co/jJjCD0X"><img src="https://i.ibb.co/PDV2gXH/image.png" alt="image" border="0"></a>
### Exploit
To exploit the Vulnerability, please follow carefully the following steps:
<br>
1 - open the running VMs :
<a href="https://ibb.co/fN1z0gT"><img src="https://i.ibb.co/dpWwKTH/Screenshot-2023-12-10-040604.png" alt="Screenshot-2023-12-10-040604" border="0"></a>
2 - In the Victim Machine, open `cmd` and type `ipconfig` to find the IPv4 address set earlier. :
```bash
ipconfig
```
Then you will be able to observe the IPv4 address that was established using the VBoxManage command as mentioned above.
<a href="https://ibb.co/vw2DPWD"><img src="https://i.ibb.co/K0Cmqgm/third.png" alt="third" border="0"></a><br /><a target='_blank' href='https://fr.imgbb.com/'><br/></a>
Save the IPv4 Address you got for later use.
<b> Attention!! :</b> The IP address on your virtual machine may differ from the one I have. Ensure that you use the IP address obtained after executing the `ipconfig` command (Note that the default GateAway must be 192.168.100.1 which we have already created using `VBoxManage` command, so your IP address in the Victim Machine should be in this form : 192.168.100.X).
3 - On the Kali Linux machine, navigate to the exploit directory and run the exploit script :
```bash
cd CVE-2022-21907-Exploit
```
4 - Execute the python script in the Attacker Machine to crash the Victim Machine :
```bash
python3 CVE-2022-21907-exploit.py -i VICTIM_MACHINE_IP
```
Here you have to replace `VICTIM_MACHINE_IP` by the address obtained in the Victim Machine.
5 - Congrtatulations!!! The Victim Machine is CRASHED :/
### Proof of Concept
After Following all the steps mentioned in the Exploit section, the Victim Machine will be crashed.
<a href="https://ibb.co/dpxNfWf"><img src="https://i.ibb.co/C9Djw1w/exploit.png" alt="exploit" border="0"></a>
### References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21907
- https://piffd0s.medium.com/patch-diffing-cve-2022-21907-b739f4108eee
- https://www.fortinet.com/blog/threat-research/analysis-of-microsoft-cve-2022-21907
- https://crashtest-security.com/cve-2022-21907-http-vulnerability/
- https://www.zerodayinitiative.com/blog/2021/5/17/cve-2021-31166-a-wormable-code-execution-bug-in-httpsys
<hr>
Should you encounter any issues or require clarification on any of the steps, please don't hesitate to reach out via email for assistance :<br>
[kamdrain@gmail.com](mailto:kamdrain@gmail.com)