Hello everyone, so now I started to write some n days exploits to learn more real world exploitations. I found this blog post by @chompie in which she explained the CVE-2022-34178 very clearly. So , I will follow this blog post and some more resources in making the final exploits. I will document every step from zero to RCE. Once again ,Thanks @chompie.
Recon
An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPSec is enabled, which could enable a remote code execution exploitation on that machine.
As usual Microsoft doesn't provides much information but the only thing we get to know from this is that it is related to a IPv6 packet , IPSec and it is a RCE. So, for getting more info , we have to do patch diffs of the tcpip.sys file before and after patch. We will use Bindiff , binary diffing tool. It is free and open source.
There is a very handy site that maintains the windows binaries of every update ,Winbindex . You can search for tcpip.sys file in x64 architecture.
On clicking on the show button you can see that this binaries was release on 13 September and the just previous version for that same windows version was released on October. Download these two binaries.
You can any disassembler , I am using Ida Freeware 8.4 sp2 (free) . Load the binaries in IDA and Binexport the binary so that bindiff can diff it.
Open bindiff and create a new workspace, File-> New Workspace . Then, click on diff-> new diff and the add the vulnerable and patched file in the primary and secondary diffs.
After the diffs are loaded , click on the matched functions .
