Changelog and tool added 16/04/2015:
+ iislap.py : Added very specific KILL flag
+ DoS Exploit for MS-15-034, http.sys Remote Denial of Service/Remote Code Execution, for IIS.
Miscellaneous proof of concept exploit code written at Xiphos Research for testing purposes.
Updates Exploits 16.04.2015 :
+ phpMoAdmin Remote Code Execution (CVE-2015-2208)
+ LotusCMS Remote Code Execution (OSVDB-75095)
+ ElasticSearch Remote Code Execution (CVE-2015-1427)
+ ShellShock (httpd) Remote Code Execution (CVE-2014-6271)
+ IISlap – http.sys Denial of Service/RCE PoC (DoS only). (MS-15-034)
There is no changelogs here, as that would be too much effort, just git commits. Exploits may be updated regularly for greater stability, reliability or stealthiness, so check them for updates regularly
DoS Exploit for MS-15-034, http.sys Remote Denial of Service/Remote Code Execution, for IIS.
The “http.sys” component in Microsoft Windows is vulnerable to a denial of service or remote code execution exploit. Microsoft is witholding exact details of the vulnerability currently, however denial of service exploit code is becoming available in the wild and in use, hence, we decided to release our proof of concept utility for the vulnerability.
The impact of this vulnerability is that it can cause a denial of service condition against the host (“Blue Screen of Death”), or, lead to remote code execution under the context of the SYSTEM user on the affected host. This leads either to complete loss of availability, or, complete compromise of confidentiality and integrity of data on the host, and probable loss of availability.
To use this exploit/test utility, there are 4 arguments. -t/–target, which is mandatory, and is the IP address or hostname of the target host, -p/–port, the target port, which defaults to 80, -s/–ssl, which tells it to use SSL (defaults to no ssl), and -f/–file, which is the path to the file you wish to GET on the remote host. This defaults to “/”, or the webroot. It should be noted that the denial of service condition seems to happen repeatably if you supply it with a file to GET instead of just the webroot, and this sho uld be taken into account during testing. Static files are the ones to watch out for – dynamic files such as ones generated by server side scripts (such as ASP.NET pages), do not tend to lead to the box falling over. If you REALLY want to DoS the box (as a PoC, not recommended!), set the -k, or –kill flag. This leads to a far more reliable denial of service condition if combined with -f
Usage Global SCript:
To use, simply select which payload you want to use (currently only back_python.php is available, but I plan on adding back_php.php and back_perl.php at a later date). This is the “payload.php”. You also must specify a callback host and port, along with the URL to the vulnerable LotusCMS installation.