Masscanning for MS15-034
So Microsoft has an important web-server bug, so naturally I'd like to scan the Internet for it. I'm running the scan now, but I'm not sure it's going to give any useful results.The bug comes from adding the following header to a web request like the following
Range: bytes=0-18446744073709551615As you can see, it's just a standard (64-bit) integer overflow, where 18446744073709551615 equals -1.
That specific header is harmless, it appears that other variations are the ones that may cause a problem. However, it serves as a useful check to see if the server is patched. If the server is unpatched, it'll return the following error:
HTTP/1.1 416 Requested Range Not SatisfiableFrom the PoC's say, a response that looks like the following means that it is patched:
The request has an invalid header nameHowever, when I run the scan across the Internet, I'm getting the following sorts of responses from servers claiming to be IIS:
HTTP/1.1 200 OK
HTTP/1.1 206 Partial Content
HTTP/1.1 301 Moved Permanently
HTTP/1.1 302 Object moved
HTTP/1.1 302 Found
HTTP/1.1 302 Redirect
HTTP/1.1 401 Unauthorized
HTTP/1.1 403 Forbidden
HTTP/1.1 404 Object Not Found
Continue reading