.webp "Arena-Hard-Auto : Advancing LLM Evaluation With Style Control Integration")
.webp "How To Install/Run – Streamlining OSINT Workflows For Enhanced Capabilities")
This is a (rather flaky) poc for CVE-2024-38063, a RCE in tcpip.sys patched on August 13th 2024. I didn’t find and report this vuln, that would be Wei.
Requirements
pip3 install scapypip3 install scapy
python3 cve-2024-38063.pyThe easiest way to reproduce the vuln is by using bcdedit /set debug on on the target system and restarting the machine/VM.
This makes the default network adapter driver kdnic.sys, which is very happy to coalesce packets.
If you’re trying to reproduce the vuln on a different setup, you’ll need to get the system in a position where it will coalesce the packets you sent. You can read the troubleshooting section below on more details.
Rough RCA
You can read this great analysis of the vulnerability by Marcus if you’re interested in the technical details. The details I’ve written below are meant to serve as a summary, rather than serious technical analysis.
- In certain situations, windows will coalesce multiple IP packets together and batch process them.
- It processes the extension headers in each packet first, and only then moves on to process the data in each packet.
- During extension header processing, packet objects of these coalesced packets are linked together in a linked list. Each packet object contains a
NET_BUFFERobject which contains buffered packet data.- At offset
0x30we also have a current-offset field which indicates how far the packet has been parsed. At this stage, the offset value will generally be0x28, indicating that the IPv6 header has been parsed but nothing else.
- At offset
- When processing the “destination options” extension header in
tcpip!Ipv6pReceiveDestinationOptions, a parsing error will result intcpip!IppSendErrorListbeing called. This function callstcpip!IppSendErroron each packet object in the linked list (starting from the current one). - Under certain conditions (e.g. if the packet is unicast),
tcpip!IppSendErrorhas side effects. It “reverts” the buffered packet data back to the start and resets the current-offset field to zero. - However, in this whole chain of events, only the first packet is marked as having an error (offset
0x8C).- This means that the driver will continue to parse extesion headers of other packets in the linked list, even if they’ve been “reverted” in
IppSendError.
- This means that the driver will continue to parse extesion headers of other packets in the linked list, even if they’ve been “reverted” in
- The processing of those packets that have been reverted is then done with unexpected data: the buffered packet data is pointing towards the beginning of the packet (i.e. the IPv6 header) rather than to the extension headers, and the offset field value is zero rather than
0x28.
For more information click here.
.webp "CVE-2024-26229 : Address Validation Flaws In IOCTL With METHOD_NEITHER")
%20(1).webp "Nessusploitable – Targeting Exploitable Nessus Vulnerabilities")
 poc for CVE-2024-38063, a RCE in tcpip.sys patched on August 13th 2024. I didn't find and report this vuln, that){kind=link}