Remote CVE-2024-38063-POC

[rubeus]

GitHub - Sachinart/CVE-2024-38063-POC: Note: I am not responsible for any bad act. This is written by Chirag Artani to demonstrate the vulnerability.

Note: I am not responsible for any bad act. This is written by Chirag Artani to demonstrate the vulnerability. - Sachinart/CVE-2024-38063-POC

github.com

Trustwave Rapid Response: Windows TCP/IP RCE Vulnerability (CVE-2024-38063)

Microsoft has disclosed a critical (CVSS 9.8) TCP/IP remote code execution (RCE) vulnerability that impacts all Windows systems utilizing IPv6.

www.trustwave.com

 

[JustAnon69]

The poc is fake xD.

 

[mkhalilovx29]

Посмотреть вложение 93077

Hi

this is not for cve-2024-3806 , its for cve-2024-38077

working poc for cve-2024-3806 not released , maybe you can achieve some BSOD with using the published poc , but achieve RCE is not easy

for exploiting the first cve , you should meet some conditions based on initial analysis , for example you cant achieve with just sending 1 IPv6 packet , but need to send multiple times to get to the vulnerable code

right now , i think every POC for this CVE that flood on the internet are fake , especially if they said that can achieve code execution

 

[rubeus]

Я создал тему что бы найти еще больше информации.

 

[Салат-салдат]

Посмотреть вложение 93077

Probably could you share the POC if it's indeed for CVE-2024-38077?

 

[rubeus]

Если у кого то есть больше информации по данному CVE, пишите тут в теме.

 

[mkhalilovx29]

Hi

About his vuln , for now, no working POC or exploit released at all , so dont test every code or repository on your server or desktop .

but if you wanna test the anatomy of vulnerability and achieve the point of vuln code , you can setup test lab on your own .now as the advisory said the vulnerability is on the tcpip.sys , you can debug and make breakpoint on Ipv6pProcessOptions function , fire Scapy and send packets with hop-by-hop and destination options headers ( as hint i said in previous post , dont sent just 1 packet , for achieve to piece of code you want you should sent multiple packet of it )

its better to know , if you want to get to the changed function and changed code you should use discarding sended packet and get notification back on it :

The Option Type identifiers are internally encoded such that their
highest-order two bits specify the action that must be taken if the
processing IPv6 node does not recognize the Option Type:

00 - skip over this option and continue processing the header.

01 - discard the packet.

10 - discard the packet and, regardless of whether or not the
packet's Destination Address was a multicast address, send an
ICMP Parameter Problem, Code 2, message to the packet's
Source Address, pointing to the unrecognized Option Type.

11 - discard the packet and, only if the packet's Destination
Address was not a multicast address, send an ICMP Parameter
Problem, Code 2, message to the packet's Source Address,
pointing to the unrecognized Option Type.

so you should use this feature to get right to the IppSendErrorList function in pre-patched version.

now base on the structure of IppSendErrorList you can achieve something like crash or bsod from there with sending multiple ipv6 packet . but for achieve RCE , you should implement your strategy based on this (for now i think nobody go further more from this)

for the last note , as i said before , for know dont trust published code that said they are POC of this vulnerability

p.s : if you patch diff between 1 version before of patch in Windows 11 builds 3958 and patched version next build , you just found 1 different function , and just 1 line in this function is changed : IppSendErrorList replace with IppSendError