{tocify} $title = {Mục lục}
Microsoft Link: https://technet.microsoft.com/library/security/ms15-034
Metasploit: https://github.com/rapid7/metasploit-framework/pull/5150
DoS script in C language:
- http://www.exploit-db.com/exploits/36773/
- https://ghostbin.com/paste/semkg
DoS script in Python:
- http://pastebin.com/raw.php?i=ypURDPc4
- http://pastebin.com/wWGFFZpG
DoS script with Ruby (@John Woods)
- https://github.com/secjohn/ms15-034-checker
Dos with telnet: https://twitter.com/NexusFandom/status/588254994203303937/photo/1
DoS with wget: https://twitter.com/w3bd3vil/status/588339547898941440
Some article: https://ma.ttias.be/remote-code-execution-via-http-request-in-iis-on-windows/
Plugin of IDAPro for diff: https://github.com/joxeankoret/diaphora
Shodan: https://www.shodan.io/search?query=IIS
Discussion: https://github.com/rapid7/metasploit-framework/pull/5150
Memory Leak: https://www.cloudshark.org/captures/0132eb74ecd3
XMLRequest: http://pastebin.com/raw.php?i=SbN55M2H
List service that use HTTP.sys: netsh http show iplisten
Snort Rule for detect: (https://isc.sans.edu/diary/MS15-034%3A+HTTP.sys+%28IIS%29+DoS+And+Possible+Remote+Code+Execution.+PATCH+NOW/19583)
alert tcp $EXTERNL_NET any -> $HOME_NET 80 (msg: " MS15-034 Range Header HTTP.sys Exploit"; content: "|0d 0a|Range: bytes="; nocase; content: "-"; within: 20 ; byte_test: 10,>,1000000000,0,relative,string,dec ; sid: 1001239;)
(byte_test is limited to 10 bytes, so I just check if the first 10 bytes are larger then 1000000000)
Nmap script:
