Windows non-interactive remote BSOD via NULL dereference in tc | PT SWARM
Windows non-interactive remote BSOD via NULL dereference in tcpip!Ipv6pReassembleDatagram (CVE-2021-24086), from patch diffing and reversing tcpip.sys to PoC, by @doar_e.
Contents: • Introduction • TL;DR • Recon • Diffing Microsoft patches in 2021 • Reverse-engineering tcpip.sys • Baby steps • High level overview • Zooming out • NET_BUFFER & NET_BUFFER_LIST • The mechanics of parsing an IPv6 packet • The mechanics of IPv6 fragmentation • Theory vs practice: Ipv6pReceiveFragment • Hiding in plain sight • Manufacturing a packet of the death: chasing phantoms • Manufacturing a packet of the death: leap of faith • Conclusion • Bonus: CVE-2021-24074
Positive Technologies Offensive Team: twitter.com/ptswarm. This is the channel where we share articles/vulnerabilities/scripts/etc, not necessarily authored by us, that we find interesting...