├── .gitignore
└── README.md


/.gitignore:
--------------------------------------------------------------------------------
 1 | # Prerequisites
 2 | *.d
 3 | 
 4 | # Compiled Object files
 5 | *.slo
 6 | *.lo
 7 | *.o
 8 | *.obj
 9 | 
10 | # Precompiled Headers
11 | *.gch
12 | *.pch
13 | 
14 | # Compiled Dynamic libraries
15 | *.so
16 | *.dylib
17 | *.dll
18 | 
19 | # Fortran module files
20 | *.mod
21 | *.smod
22 | 
23 | # Compiled Static libraries
24 | *.lai
25 | *.la
26 | *.a
27 | *.lib
28 | 
29 | # Executables
30 | *.exe
31 | *.out
32 | *.app
33 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # CVE-2022-26809
 2 | this is not an exploit or a poc
 3 | 
 4 | 
 5 | For someone familiar with RPC using bindiff is enough to make an exploit
 6 | 
 7 | Constructing a poc is not complicated
 8 | 
 9 | And it is not complicated to construct the exploit from the poc
10 | 
11 | ## CVE-2022-26809 has nothing to do with SMB, it's an RPC vuln where a variety of transports can be used, like TCP/135, SMB/445, etc.
12 | 
13 | # so do the patch now！！
14 | 
15 | # some src part 1
16 | ```c++
17 | /*++
18 | Function Name:GetCoalescedBuffer
19 | Parameters:
20 |     Message - the message structure that will receive the params
21 | Description:
22 |     This routine will coalesce the buffers in the buffer queue into a single
23 |     buffer and return it in the Message structure. If the RPC_BUFFER_EXTRA
24 |     flag is set, the data is appended to the existing buffer in Message->Buffer.
25 | Returns:
26 |     RPC_S_OK - the function was successful in doing its job
27 |     RPC_S_OUT_OF_MEMORY - ran out of memory.
28 | --*/
29 | RPC_STATUS
30 | OSF_SCALL::GetCoalescedBuffer (
31 |     IN PRPC_MESSAGE Message,
32 |     BOOL fForceExtra
33 |     );
34 | /*++
35 | Function Name:ProcessResponse
36 | Parameters:
37 | Description:
38 |     Process the response data. The first buffer is placed on the buffer queue
39 |     only after alloc_hint bytes have been received.
40 | Returns:
41 | --*/
42 | RPC_STATUS
43 | OSF_CCALL::ProcessResponse (
44 |     IN rpcconn_response *Packet,
45 |     IN PRPC_MESSAGE Message,
46 |     OUT BOOL *pfSubmitReceive
47 |     );
48 | ```
49 | 
50 | 
51 | # to be continued
52 | 


--------------------------------------------------------------------------------