{"uuid": "4d33867a-2238-48e0-b1d9-16f005df6b86", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2021-24086", "type": "published-proof-of-concept", "source": "https://t.me/ptswarm/27", "content": "Windows non-interactive remote BSOD via NULL dereference in tcpip!Ipv6pReassembleDatagram (CVE-2021-24086), from patch diffing and reversing tcpip.sys to PoC, by @doar_e.\n\nContents:\n\u2022 Introduction\n\u2022 TL;DR\n\u2022 Recon\n\u2022 Diffing Microsoft patches in 2021\n\u2022 Reverse-engineering tcpip.sys\n\u2022 Baby steps\n\u2022 High level overview\n\u2022 Zooming out\n\u2022 NET_BUFFER & NET_BUFFER_LIST\n\u2022 The mechanics of parsing an IPv6 packet\n\u2022 The mechanics of IPv6 fragmentation\n\u2022 Theory vs practice: Ipv6pReceiveFragment\n\u2022 Hiding in plain sight\n\u2022 Manufacturing a packet of the death: chasing phantoms\n\u2022 Manufacturing a packet of the death: leap of faith\n\u2022 Conclusion\n\u2022 Bonus: CVE-2021-24074\n\nhttps://doar-e.github.io/blog/2021/04/15/reverse-engineering-tcpipsys-mechanics-of-a-packet-of-the-death-cve-2021-24086/", "creation_timestamp": "2021-04-16T09:26:06.000000Z"}