14
EXPLOITING MS15-034 IN POWERSHELL KIERAN JACOBSEN TECHNICAL LEAD - READIFY @KJACOBSEN – POSHSECURITY.COM

Exploiting MS15-034 In PowerShell

Embed Size (px)

Citation preview

Page 1: Exploiting MS15-034 In PowerShell

EXPLOITING MS15-034 IN POWERSHELL

KIERAN JACOBSENTECHNICAL LEAD - READIFY

@KJACOBSEN – POSHSECURITY.COM

Page 2: Exploiting MS15-034 In PowerShell

‘REMOTE CODE EXECUTION’ -IN HTTP.SYS

Page 3: Exploiting MS15-034 In PowerShell

IF THE BAD GUY CAN EXECUTE CODE ON YOUR BOX, IT ISN’T YOUR BOX

ANYMORE.

Page 4: Exploiting MS15-034 In PowerShell

HTTP.SYS IS EVERYWHERE

Page 5: Exploiting MS15-034 In PowerShell

IIS KERNEL CACHING MODULE

Page 6: Exploiting MS15-034 In PowerShell
Page 7: Exploiting MS15-034 In PowerShell

ARE WE VULNERABLE?

Page 8: Exploiting MS15-034 In PowerShell

REQUEST -> RESPONSE

Page 9: Exploiting MS15-034 In PowerShell

GET / HTTP/1.1HOST: GOOGLE.COMRANGE: BYTES=0-18446744073709551615CONNECTION: CLOSE

Page 10: Exploiting MS15-034 In PowerShell

GET / HTTP/1.1`R`NHOST: GOOGLE.COM`R`NRANGE: BYTES=0-18446744073709551615`R`NCONNECTION: CLOSE `R`N`R`N

Page 11: Exploiting MS15-034 In PowerShell

STREAMS

Page 12: Exploiting MS15-034 In PowerShell

WORKING WITH TCP

Page 13: Exploiting MS15-034 In PowerShell

MS15034.PSM1

Page 14: Exploiting MS15-034 In PowerShell

MORE INFORMATION

• MY WEBSITE – HTTP://POSHSECURITY.COM• TWITTER - @KJACOBSEN• MS15-034 MODULE – HTTP://GITHUB.COM/POSHSECURITY/MS15034 • MICROSOFT SECURITY BULLETIN - HTTPS://

TECHNET.MICROSOFT.COM/EN-US/LIBRARY/SECURITY/MS15-034.ASPX

http://poshsecurity.com/
http://github.com/PoshSecurity/MS15034
https://technet.microsoft.com/en-us/library/security/ms15-034.aspx
https://technet.microsoft.com/en-us/library/security/ms15-034.aspx

Jul - 15 Patches – 5 Critical - 60 CVEs MS15-058 - SQL Server, Remote Code MS15-065 - Security Update for IE MS15-066 - VBScript Scripting

Jul - 15 Patches – 5 Critical - 60 CVEs MS15-058 - SQL Server, Remote Code MS15-065 - Security Update for IE MS15-066 - VBScript Scripting

Documents
Apr - 8 Patches – 2 Critical - 45 CVEs MS15-056 - Cumulative Security Update for IE, Remote Code MS15-057 - Windows Media Player, Remote

Apr - 8 Patches – 2 Critical - 45 CVEs MS15-056 - Cumulative Security Update for IE, Remote Code MS15-057 - Windows Media Player, Remote

Documents
Automate successfully with PowerShell 7...PowerShell 7 - Introduction Windows Linux macOS.NET Framework.NET Core Windows PowerShell 2006 - today PowerShell 7 2016 - today It’s open

Automate successfully with PowerShell 7...PowerShell 7 - Introduction Windows Linux macOS.NET Framework.NET Core Windows PowerShell 2006 - today PowerShell 7 2016 - today It’s open

Documents
Introduction to PowerShell - Be a PowerShell Hero - SPFest workshop

Introduction to PowerShell - Be a PowerShell Hero - SPFest workshop

Technology
Tutoriel PowerShell

Tutoriel PowerShell

Documents
Powershell alias

Powershell alias

Technology
Gestuz MS15

Gestuz MS15

Documents
Windows: H10 - PowerShell...Windows: H10 - PowerShell Pagina 4 van 30 Process Manipulation PowerShell Cmdlet PowerShell alias cmd.exe bash Purpose Get-Process gps, ps tlist, tasklist

Windows: H10 - PowerShell...Windows: H10 - PowerShell Pagina 4 van 30 Process Manipulation PowerShell Cmdlet PowerShell alias cmd.exe bash Purpose Get-Process gps, ps tlist, tasklist

Documents
PowerShell Administrator Guide - Questsupport-public.cfm.quest.com/...powershell_administrator_guide_21.pdfThe PowerShell Administrator Guide contains the ... Microsoft Windows PowerShell

PowerShell Administrator Guide - Questsupport-public.cfm.quest.com/...powershell_administrator_guide_21.pdfThe PowerShell Administrator Guide contains the ... Microsoft Windows PowerShell

Documents
Goodman CB-MS15

Goodman CB-MS15

Documents
PowerShell Studio 2020 is the premier Windows PowerShell ... · PowerShell Studio 2020 is the premier Windows PowerShell integrated scripting and tool-making environment. v Fully-featured

PowerShell Studio 2020 is the premier Windows PowerShell ... · PowerShell Studio 2020 is the premier Windows PowerShell integrated scripting and tool-making environment. v Fully-featured

Documents
PowerShell Intro

PowerShell Intro

Documents
Presentatie powershell

Presentatie powershell

Technology
Guida operativa di Comandi PowerShell per CA … ARCserve...Concetti relativi a PowerShell Capitolo 1: Introduzione 11 Concetti relativi a PowerShell Cmdlet di PowerShell Windows PowerShell

Guida operativa di Comandi PowerShell per CA … ARCserve...Concetti relativi a PowerShell Capitolo 1: Introduzione 11 Concetti relativi a PowerShell Cmdlet di PowerShell Windows PowerShell

Documents
Automation Azure with PowerShell - files.informatandm.comfiles.informatandm.com/...with_PowerShell_Beyond_the_Azure_PowerShell... · #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM PowerShell

Automation Azure with PowerShell - files.informatandm.comfiles.informatandm.com/...with_PowerShell_Beyond_the_Azure_PowerShell... · #ITDEVCONNECTIONS | ITDEVCONNECTIONS.COM PowerShell

Documents
PowerShell Tutorials

PowerShell Tutorials

Documents
Apr - 11 Patches – 4 Critical - 26 CVEs MS15-032 - Cumulative Security Update for IE MS15-033 - Office, Remote Code MS15-034 - HTTP.sys,

Apr - 11 Patches – 4 Critical - 26 CVEs MS15-032 - Cumulative Security Update for IE MS15-033 - Office, Remote Code MS15-034 - HTTP.sys,

Documents
Section 6: Using Windows PowerShell to Manage Group Policy Introducing Windows PowerShell Windows PowerShell Library for Group Policy Windows PowerShell-Based

Section 6: Using Windows PowerShell to Manage Group Policy Introducing Windows PowerShell Windows PowerShell Library for Group Policy Windows PowerShell-Based

Documents
adm.lacitec.on.caadm.lacitec.on.ca/~ymicha/mcours/syscom/MS15 motor control2.pdf · adm.lacitec.on.ca

adm.lacitec.on.caadm.lacitec.on.ca/~ymicha/mcours/syscom/MS15 motor control2.pdf · adm.lacitec.on.ca

Documents
PowerShell DSC PowerShell - static.fnac-static.com · PowerShell DSC Simplifiez et accélérez vos configurations système PowerShell DSC Simplifiez et accélérez vos configurations

PowerShell DSC PowerShell - static.fnac-static.com · PowerShell DSC Simplifiez et accélérez vos configurations système PowerShell DSC Simplifiez et accélérez vos configurations

Documents
MS15 Partitioning single digit numbersnumeracyninjas.org/wp-content/uploads/2015/08/MS15...Partitioning Single Digit Numbers Mental Strategies Complete the daily exercises to focus

MS15 Partitioning single digit numbersnumeracyninjas.org/wp-content/uploads/2015/08/MS15...Partitioning Single Digit Numbers Mental Strategies Complete the daily exercises to focus

Documents
Introduction to PowerShell€¦ · Title: Introduction to PowerShell Author: Peter McEldowney Subject: PowerShell, Active Directory Keywords: powershell, power shell, active directory,

Introduction to PowerShell€¦ · Title: Introduction to PowerShell Author: Peter McEldowney Subject: PowerShell, Active Directory Keywords: powershell, power shell, active directory,

Documents
Leseprobe „Windows PowerShell 5 und PowerShell Core 6“files.hanser.de/Files/Article/ARTK_LPR_9783446453319_0001.pdf · Leseprobe zu „Windows PowerShell 5 und PowerShell Core

Leseprobe „Windows PowerShell 5 und PowerShell Core 6“files.hanser.de/Files/Article/ARTK_LPR_9783446453319_0001.pdf · Leseprobe zu „Windows PowerShell 5 und PowerShell Core

Documents
[Webinar] PowerShell series part 3 – PowerShell and WMI

[Webinar] PowerShell series part 3 – PowerShell and WMI

Software
Windows Powershell 3 - Netz-Weise€¢Powershell-ISE •Integration in ... Windows PowerShell •Workflows bestehen aus den Elementen ... • Don Jones –PowerShell Workflow: When

Windows Powershell 3 - Netz-Weise€¢Powershell-ISE •Integration in ... Windows PowerShell •Workflows bestehen aus den Elementen ... • Don Jones –PowerShell Workflow: When

Documents
Dell Command | PowerShell Provider Version 1.0 …topics-cdn.dell.com/pdf/dell-command-powershell-provider-v1.0_User... · 1 Introduction Dell Command | PowerShell Provider is a PowerShell

Dell Command | PowerShell Provider Version 1.0 …topics-cdn.dell.com/pdf/dell-command-powershell-provider-v1.0_User... · 1 Introduction Dell Command | PowerShell Provider is a PowerShell

Documents
Weltner, Powershell

Weltner, Powershell

Documents
Using PowerShell

Using PowerShell

Documents
Puppet powershell

Puppet powershell

Technology
l M17:-;L1~:Ft °°-5 I =1 030~ I 030 vR M T~2~ L-v … · 024, g,?1roT 034:7 030 034 034 034 034* 034 034 034 034 030 034 034 034 030 030,--/ I Parlywall I T I §/ 5 who I -=---nu

l M17:-;L1~:Ft °°-5 I =1 030~ I 030 vR M T~2~ L-v … · 024, g,?1roT 034:7 030 034 034 034 034* 034 034 034 034 030 034 034 034 030 030,--/ I Parlywall I T I §/ 5 who I -=---nu

Documents