Windows non-interactive remote BSOD via NULL dereference in tc | PT SWARM

Windows non-interactive remote BSOD via NULL dereference in tcpip!Ipv6pReassembleDatagram (CVE-2021-24086), from patch diffing and reversing tcpip.sys to PoC, by @doar_e.

Contents:
• Introduction
• TL;DR
• Recon
• Diffing Microsoft patches in 2021
• Reverse-engineering tcpip.sys
• Baby steps
• High level overview
• Zooming out
• NET_BUFFER & NET_BUFFER_LIST
• The mechanics of parsing an IPv6 packet
• The mechanics of IPv6 fragmentation
• Theory vs practice: Ipv6pReceiveFragment
• Hiding in plain sight
• Manufacturing a packet of the death: chasing phantoms
• Manufacturing a packet of the death: leap of faith
• Conclusion
• Bonus: CVE-2021-24074

https://doar-e.github.io/blog/2021/04/15/reverse-engineering-tcpipsys-mechanics-of-a-packet-of-the-death-cve-2021-24086/

PT SWARM

👨‍🚒 2.98K
Technologies

Positive Technologies Offensive Team: twitter.com/ptswarm. This is the channel where we share articles/vulnerabilities/scripts/etc, not necessarily authored by us, that we find interesting...

Join
▲ Vote (1)

Windows non-interactive remote BSOD via NULL dereference in tc | PT SWARM

Login