This is a (rather flaky) poc for CVE-2024-38063, a RCE in tcpip.sys patched on August 13th 2024. I didn’t find and report this vuln, that would be Wei.
pip3 install scapy
pip3 install scapy
python3 cve-2024-38063.py
The easiest way to reproduce the vuln is by using bcdedit /set debug on
on the target system and restarting the machine/VM.
This makes the default network adapter driver kdnic.sys
, which is very happy to coalesce packets.
If you’re trying to reproduce the vuln on a different setup, you’ll need to get the system in a position where it will coalesce the packets you sent. You can read the troubleshooting section below on more details.
You can read this great analysis of the vulnerability by Marcus if you’re interested in the technical details. The details I’ve written below are meant to serve as a summary, rather than serious technical analysis.
NET_BUFFER
object which contains buffered packet data. 0x30
we also have a current-offset field which indicates how far the packet has been parsed. At this stage, the offset value will generally be 0x28
, indicating that the IPv6 header has been parsed but nothing else.tcpip!Ipv6pReceiveDestinationOptions
, a parsing error will result in tcpip!IppSendErrorList
being called. This function calls tcpip!IppSendError
on each packet object in the linked list (starting from the current one).tcpip!IppSendError
has side effects. It “reverts” the buffered packet data back to the start and resets the current-offset field to zero.0x8C
). IppSendError
.0x28
.For more information click here.
Docker is a powerful open-source containerization platform that allows developers to build, test, and deploy…
Docker is one of the most widely used containerization platforms. But there may come a…
Introduction Google Dorking is a technique where advanced search operators are used to uncover information…
Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and…
What is Networking? Networking brings together devices like computers, servers, routers, and switches so they…
Introduction In the world of Open Source Intelligence (OSINT), anonymity and operational security (OPSEC) are…