## CVE-2022-26809
This repo just simply research for the CVE, for more detailed ananlysis,please refer [here](http://showlinkroom.me/2022/04/30/Windows-CVE-2022-26809/).
**UPDATE:05/19 2022**
This ananlyze hasn't been finished yet....
**UPDATE:05/22 2022**
[HuanGMz Post](https://paper.seebug.org/1906/) and [corelight blog](https://corelight.com/blog/another-day-another-dce-rpc-rce) show the real vulnerable point:
`OSF_CASSOCIATION::ProcessBindAckOrNak`
This vulnerability is triggered like [CVE-2021-43893](https://www.rapid7.com/blog/post/2022/02/14/dropping-files-on-a-domain-controller-using-cve-2021-43893/), when send the ESFRPC request to lsass.exe with **UNC path**, victim will try to access target **as client**, so it will trigger interger overflow at **client API**
If have any better solution to trigger this vuln, feel free to submit issue or pr :)
### PoC-CVE-2022-26809
_[refer here](https://paper.seebug.org/1906/)_
Because the vulnerability triggered like `CVE-2021-43893`, just clone the [PetitPotam](https://github.com/topotam/PetitPotam) code.
Just prepare environment just like here:
- trigger: with PetitPotam
- victim: with Vulnerable rpcrt4.dll
- attacker: with attacker-server
1. Run `fake_smb_server.py` at attacker-server aflter replacing the rpcrt.py wit origin one(**Because the 445 port has been occupied by System on Windows, it recommend to deploy service on linux **
2. trigger the victim to access attacker serve with
```
python petitpotam.py -pipe lsarpc -method DecryptFileSrv -debug "user:password@victim.ip" "\\attacker.path\realfile
```
3. It will not cause BSOD usually, enable the page heap for `lsass.exe`(_However, I have not success triggered BSoD, but accroding the windbg, the interger overflow has been triggered_)
**Old Description**
Here is reproduce code for Windows RPC Vuln `CVE-2022-26809`, and it refer [https://github.com/microsoft/Windows-classic-samples/blob/main/Samples/Win7Samples/netds/rpc/hello](https://github.com/microsoft/Windows-classic-samples/blob/main/Samples/Win7Samples/netds/rpc/hello).
### PoC-OSF_SCALL::GetCoalescedBuffer
_My python version is 3.6.7_
_Not sure if GetCoalescedBuffer will involve real CVE-2022-26809, just keep it_
the `poc.py` just **try** to trigger the vuln function`OSF_SCALL::GetCoalescedBuffer`, it **wouldn't cause any crash because dword integer overflow is too hard to reproduce**.And the `rpcrt.py` is the python package `impacket.dcerpc.v5.rpcrt`,just replace it with origin to trigger vuln(Remember to backup the origin one :) I believe the `rpcrt.py` has a huge of bugs).
If it not work, maybe **wireshark** can help to locate the bug.
#### PipeDemo
if necessary, just use `nmake` to rebuild it
[4.0K] /data/pocs/8019a6a428592d8c845ea32eeda0b0d279d2a364
├── [4.0K] attacker-server
│ ├── [ 159] fake_smb_server.py
│ ├── [ 250] README.md
│ ├── [ 72K] rpcrt.py
│ ├── [4.0K] srvsvc
│ │ └── [ 10] test.txt
│ └── [ 0] test.txt
├── [1.0K] LICENSE
├── [4.0K] PetitPotam
│ ├── [1.0K] LICENSE
│ ├── [ 18K] petitpotam.py
│ └── [4.8K] README.md
├── [4.0K] pipedemo
│ ├── [ 70] Hello.Acf
│ ├── [9.8K] hello_c.c
│ ├── [ 12K] Helloc.c
│ ├── [ 24K] helloc.exe
│ ├── [ 17K] hello_c.obj
│ ├── [ 32K] helloc.obj
│ ├── [500K] helloc.pdb
│ ├── [2.3K] hello.h
│ ├── [ 468] Hello.Idl
│ ├── [1.8K] Hellop.c
│ ├── [ 16K] hellop.obj
│ ├── [9.4K] hello_s.bak.c
│ ├── [9.4K] hello_s.c
│ ├── [7.8K] Hellos.c
│ ├── [ 22K] hellos.exe
│ ├── [ 16K] hello_s.obj
│ ├── [ 27K] hellos.obj
│ ├── [508K] hellos.pdb
│ ├── [2.3K] Makefile
│ ├── [1.7K] ReadMe.Txt
│ ├── [2.8K] spn.c
│ ├── [ 89] spn.h
│ ├── [ 17K] spn.obj
│ ├── [124K] vc140.pdb
│ └── [ 20K] win32.mak
├── [3.4K] poc.py
├── [ 11K] prepare.png
├── [2.7K] README.md
├── [ 74K] rpcrt.py
└── [ 31K] vul.png
4 directories, 39 files