Proof of concept for CVE-2021-24086, a NULL dereference in tcpip.sys triggered remotely.# CVE-2021-24086
This is a proof of concept for [CVE-2021-24086](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24086) ("Windows TCP/IP Denial of Service Vulnerability
"), a NULL dereference in `tcpip.sys` patched by Microsoft in February 2021. According to this [tweet](https://twitter.com/metr0/status/1359214923541192704), the vulnerability has been found by [@piazzt](https://twitter.com/piazzt). It is triggerable remotely by sending malicious UDP packet over IPv6.
You can read Microsoft's blog here: [Multiple Security Updates Affecting TCP/IP: CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086](https://msrc-blog.microsoft.com/2021/02/09/multiple-security-updates-affecting-tcp-ip/). It discusses briefly the impact and workaround/mitigations.
A more in-depth discussion about the root-cause is available on [doar-e.github.io](https://doar-e.github.io/): [Reverse-engineering tcpip.sys: mechanics of a packet of the death (CVE-2021-24086)](https://doar-e.github.io/blog/2021/04/15/reverse-engineering-tcpipsys-mechanics-of-a-packet-of-the-death-cve-2021-24086/).
## Running the PoC
Run the `cve-2021-24086.py` script; it requires [Scapy](https://github.com/secdev/scapy):
```
over@bubuntu:~$ sudo python3 cve-2021-24086.py
66 fragments, total size 0xfff8
..................................................................
Sent 66 packets.
.
Sent 1 packets.
```
# Authors
* Axel '[@0vercl0k](https://twitter.com/0vercl0k)' Souchet
[4.0K] /data/pocs/1017653d7233cd7245ad408d7c57002192086b19
├── [4.0K] binaries
│ ├── [1.9M] tcpip.rel2101.pdb
│ ├── [2.9M] tcpip.rel2101.sys
│ ├── [1.9M] tcpip.rel2102.pdb
│ └── [2.9M] tcpip.rel2102.sys
├── [ 13K] cve-2021-24086.py
├── [1.0K] LICENSE
├── [4.0K] pics
│ ├── [278K] doare.png
│ └── [412K] trigger.gif
└── [1.5K] README.md
2 directories, 9 files