10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%
! [](/Article/UploadPic/2015-4/2 0 1 5 4 1 6 1 3 3 1 4 6 3 4 9. png)
HTTP. sys remote code execution vulnerability, CVE-2 0 1 5-1 6 3 5, AND MS15-0 3 4. the
A remote code execution vulnerability exists in the HTTP Protocol stack (HTTP.sys), when the HTTP.sys not correct parsing specially crafted HTTP request to cause this vulnerability. Successful exploitation of this vulnerability an attacker can be in the system account context in the execution of arbitrary code. https://technet.microsoft.com/zh-cn/library/security/MS15-034
Line detection source code
!
php
class VulnStatus
{
const FAIL = 0;
const VULN = 1;
const VULN_NOT_MS = 2;
const PATCHED = 3;
const NOT_VULN = 4;
const NOT_VULN_MS = 5;
const NOT_VULN_CF = 6;
public static function AsString( $status, $host )
{
switch( $status )
{
case self::FAIL : return ';unable to connect to '; . $host . ‘; Test loophole.’;;
case self::VULN : return ‘;’; . $host . ‘; The presence of vulnerability.’;;
case self::VULN_NOT_MS: return ‘;’; . $host . ‘; There may be loopholes, but it seems to not use IIS.’;;
case self::PATCHED : return ‘;’; . $host . ‘; Has been repaired.’;;
case self::NOT_VULN : return ';can’t identify the patch status '; . $host . ‘;, And not using IIS, there may be no loopholes.’;;
case self::NOT_VULN_MS: return ';can’t identify the patch status '; . $host . ‘;. There may be no loopholes.’;;
case self::NOT_VULN_CF: return ‘;’; . $host . ‘; Possible use of the CloudFlare CDN acceleration, causes the vulnerability can not be detected or does not exist.’;;
}
return ‘;as if broken.’;;
}
}
$host = false;
$status = false;
$url = filter_input( INPUT_GET, ‘;host’;, FILTER_SANITIZE_URL );
if( ! empty( $url ) && parse_url( $url, PHP_URL_SCHEME ) === null )
{
$url = ‘;http://’; . $url;
}
$port = parse_url( $url, PHP_URL_PORT );
if( $port === null )
{
$port = 8 0;
}
$url = parse_url( $url, PHP_URL_HOST );
if( $url !== null )
{
$cachekey = ‘;ms15034_’; . $url . ‘;_’; . $port;
$cachetime = 3 0 0; // 5 minutes
$host = htmlspecialchars( $url, ENT_HTML5 );
if( $port !== 8 0 )
{
$host .= ‘;:’; . $port;
}
$memcached = new Memcached( );
$memcached->addServer( ‘;/var/run/memcached/memcached. sock’;, 0 );
$status = $memcached->get( $cachekey );
if( $status === false )
{
$fp = @fsockopen( $url, $port, $errno, $errstr, 5 );
if( $fp === false )
{
$status = VulnStatus::FAIL;
}
else
{
stream_set_timeout( $fp, 5 );
$header = “GET / HTTP/1.1\r\n”;
$header .= “Host: stuff\r\n”;
$header .= “Range: bytes=0-18446744073709551615\r\n”;
$header .= “Connection: close\r\n\r\n”;
fwrite( $fp, $header );
$response = fread( $fp, 1 0 2 4 );
fclose( $fp );
if( strpos( $response, ‘;your request range does not meet’; ) !== false )
{
$status = strpos( $response, ‘;Microsoft’; ) === false ? VulnStatus::VULN_NOT_MS : VulnStatus::VULN;
}
else if( strpos( $response, ‘;requests an invalid header head’; ) !== false )
{
$cachetime = 3 6 0 0; // cache time
$status = VulnStatus::PATCHED;
}
else if( strpos( $response, ‘;Microsoft’; ) === false )
{
if( strpos( $response, ‘;4 0 3 Forbidden’; ) !== false && strpos( $response, ‘;cloudflare-nginx’; ) !== false )
{
$status = VulnStatus::NOT_VULN_CF;
}
else
{
$status = VulnStatus::NOT_VULN;
}
}
else
{
$status = VulnStatus::NOT_VULN_MS;
}
}
unset( $fp, $header, $response );
$memcached->set( $cachekey, $status, $cachetime );
}
$status = VulnStatus::AsString( $status, $host );
}
?& gt;
charset=“utf-8”>
name=“theme-color” content=“#4 2 4 2 4 2”>
http-equiv=“X-UA-Compatible” content=“IE=edge,chrome=1”>
name=“viewport” content=“width=device-width, initial-scale=1.0”>
MS15-0 3 4 Test
href=“//maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css” rel=“stylesheet”>
type=“text/css”>
. container {
max-width: 900px;
}
. masthead {
position: relative;
padding: 20px 0;
text-align: center;
color: #fff;
background-color: #4 2 4 2 4 2;
margin-bottom: 20px;
}
. masthead a {
color: #fff;
}
. footer {
text-align: center;
padding: 15px;
color: #5 5 5;
}
. footer span {
color: #FA5994;
}
. form-inline {
text-align: center;
margin-bottom: 20px;
}
. github {
position: absolute;
top: 0;
right: 0;
}
HTTP.sys stack vulnerability testing
Enter a URL or a hostname to test the server href=“https://technet.microsoft.com/en-us/library/security/ms15-034.aspx” target=“_blank”>MS15-0 3 4 / href=“http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635” target=“_blank”>CVE-2 0 1 5-1 6 3 5.
[1] [[2]](<61261_2. htm>) next