This is a proof of concept for CVE-2021-31166 ("HTTP Protocol Stack Remote Code Execution Vulnerability"), a use-after-free dereference in http.sys patched by Microsoft in May 2021. According to this tweet the vulnerability has been found by @_mxms and @fzzyhd1.
The bug itself happens in http!UlpParseContentCoding where the function has a local LIST_ENTRY and appends item to it. When it's done, it moves it into the Request structure; but it doesn't NULL out the local list. The issue with that is that an attacker can trigger a code-path that frees every entries of the local list leaving them dangling in the Request object.
Here is the bugcheck:
```KDTARGET: Refreshing KD connection
* Fatal System Error: 0x00000139 (0x0000000000000003,0xFFFFF90EA867EE40,0xFFFFF90EA867ED98,0x0000000000000000)
KERNELSECURITYCHECKFAILURE (139)A kernel component has corrupted a critical data structure. The corruptioncould potentially allow a malicious user to gain control of this machine.Arguments:Arg1: 0000000000000003, A LISTENTRY has been corrupted (i.e. double remove).Arg2: fffff90ea867ee40, Address of the trap frame for the exception that caused the BugCheckArg3: fffff90ea867ed98, Address of the exception record for the exception that caused the BugCheckArg4: 0000000000000000, Reserved```