├── rpcrt4_new.dll
├── rpcrt4_old.dll
├── exploit.py
└── README.md


/rpcrt4_new.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/websecnl/CVE-2022-26809/HEAD/rpcrt4_new.dll


--------------------------------------------------------------------------------
/rpcrt4_old.dll:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/websecnl/CVE-2022-26809/HEAD/rpcrt4_old.dll


--------------------------------------------------------------------------------
/exploit.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | # WORK IN PROGRESS
 3 | # Date: 14-04-2022
 4 | # Website: https://websec.nl
 5 | # Discord: https://discord.gg/hackerone
 6 | #
 7 | # Turns out this is a bit more complicated to replicate
 8 | # There doesn't seem to be any user supplied input which can trigger the integer overflow
 9 | #
10 | # At this point, i have tried to use Bindiff with IDA and find out the differences similar to what Marcus Hutchins says in the video explenation:
11 | # I recommand you guys to watch it, its very interesting: https://www.youtube.com/watch?v=GGlwy3_jVYE
12 | #
13 | #
14 | # Anyways, if any of you have any idea what configuration on RPC is required to be set and what the triggerpoint is to trigger the overflow then please feel free to report it
15 | # in the GitHub repository issues section, any contribution is greatly appreciated.
16 | #
17 | # Best Regards,
18 | # WebSec
19 | #
20 | # -- ANOTHER NOTE FOR YOUR INFORMATION --
21 | #
22 | # PLEASE BE AWARE THAT THIS IS NOT DISCLOSED AS OF THIS MOMENT
23 | # ANY OTHER GITHUB REPOSITORY WHO CLONES OUR TEXT WITH A PAYMENT LINK AND PRETENDS TO SELL THIS IS 100% FAKE
24 | # PLEASE DO NOT LOSE YOUR MONEY!
25 | # THIS WILL BE 100% FREE ONCE WE FIGURE OUT HOW TO REPLICATE THE ISSUE
26 | #
27 | # -- I will update this file once I figure out more information --
28 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # CVE description
 2 | CVE-2022-26809 - weakness in a core Windows component (RPC) earned a CVSS score of 9.8 not without a reason, as the attack does not require authentication and can be executed remotely over a network, and can result in remote code execution (RCE) with the privileges of the RPC service, which depends on the process hosting the RPC runtime. That critcal bug, with a bit of luck, allows to gain access to unpatched Windows host running SMB. The vulnerability can be exploited both from outside the network in order to breach it as well as between machines in the network.
 3 | 
 4 | # Who is vulnerable?
 5 | - Windows 10 Pro Build 10.0.10240 x64
 6 | - Windows 10 Pro Build 10.0.19042 x64
 7 | - Windows 10 Pro Build 10.0.19044 x64
 8 | - Windows Server 2019 x64
 9 | - Windows Server 2022 x64
10 | - Windows 7 SP3 x64
11 | 
12 | # Locating the vulnerability
13 | The CVE stated that the vulnerabilities lie within the Windows RPC runtime, which is implemented in a library named rpcrt4.dll. This runtime library is loaded into both client and server processes utilizing the RPC protocol for communication. We compared versions 10.0.22000.434 (March) and 10.0.22000.613 (patched) and singled out list of changes.
14 | 
15 | The functions OSF_SCALL::ProcessResponse and OSF_CCALL::ProcessReceivedPDU are similar in nature; both process RPC packets, but one runs on the server side and the other on the client side (SCALL and CCALL). By diffing OSF_SCALL::ProcessReceivedPDU we noticed two code blocks that were added to the new version.
16 | 
17 | ![163493985-3373746d-6ef5-4079-803c-b8acda5338e9](https://user-images.githubusercontent.com/20278695/163975278-f8a04fdf-22d7-48e9-9caf-f5b49298972e.png)
18 | 
19 | ![163494679-5fc53a11-4f5b-4eda-b185-777af4ae4dd6](https://user-images.githubusercontent.com/20278695/163975316-50bdc459-98b9-4205-a323-a4dee1cda079.png)
20 | 
21 | 
22 | Looking at the patched code, we saw that after QUEUE::PutOnQueue a new function was called. Inspecting in on the new function and diving in its code, we figured out it checks for integer overflows. In other words, the new function in patch was added to verify that an integer variable remained within an expected value range.
23 | 
24 | ![163493980-1e060df4-4e9d-454d-bb95-befec63ae22a](https://user-images.githubusercontent.com/20278695/163975337-e936c603-293e-4a45-a284-286265db424a.png)
25 | 
26 | Diving deeper into the vulnerable code in OSF_SCALL:GetCoalescedBuffer, we noticed that the integer overflow bug could lead to a heap buffer overflow, where data is copied onto a buffer that is too small to populate it. This in turn allows data to be written out of the buffer’s bounds, on the heap. When exploited, this primitive leads us to remote code execution!
27 | 
28 | A same call to check for integer overflow was added in other functions as well:
29 | 
30 | OSF_CCALL::ProcessResponse OSF_SCALL::GetCoalescedBuffer OSF_CCALL::GetCoalescedBuffer
31 | 
32 | The integer overflow vulnerability and the function that prevents it exist in both client-side and server-side execution flows.
33 | 
34 | # PoC Status
35 | Still in development, no ETA.
36 | 


--------------------------------------------------------------------------------