A critical Windows vulnerability in its HTTP stack ("HTTP.sys"), which was resolved in a recent Microsoft's Patch Tuesday release, could allow remote attackers to execute code on an IIS server with the privileges of the System account. A Proof-of-Concept code to check the existence of this vulnerability was soon to follow. Remote attackers could exploit the way "HTTP.sys" parses requests with a Range header including a very large byte range to crash the server or potentially run their shellcode.




                                                                                POC Information



                                                                    Bug details according to the POC


More details on the available patch could be found in Microsoft’s security builletin MS15-034:



Following user-defined signature will detect and mitigate attempts to exploit this vulnerability while using ASM.

ASM versions including and above 11.2.x:

headercontent: "range"; nocase; re2:"/bytes\s*=.*?[0-9]{10,}\b/Hi";


ASM versions including and below 11.1.x:

headercontent: "range"; nocase; pcre:"/bytes\s*=.*?[0-9]{10,}\b/Hi";