The code that handles the 'Range' HTTP header in the HTTP.sys driver in Microsoft Windows, which is used by Internet Information Services (IIS), is prone to an integer overflow vulnerability when processing a specially crafted HTTP request with a very long upper range. This integer overflow vulnerability can be leveraged to generate a memory disclosure condition, in which the HTTP.sys driver will return more data than it should from kernel memory, thus allowing remote unauthenticated attackers to obtain potentially sensitive information from the affected server. This module will check if the target machine is vulnerable and it will try to dump memory contents to the Module Log window. This memory dump may contain sensitive data, as explained above. The vulnerability affects systems in which IIS has kernel-mode caching enabled; note that this setting is enabled by default. Since this issue is tied to the kernel-mode caching feature, you must specify a static resource in the 'TARGET URL' parameter, such as a GIF/JPG/PNG/ZIP/HTML file. This module will not work if you run it against a dynamic resource like an ASP/ASPX page. This module works against both plain HTTP and HTTPS websites. This module supports both direct connection to the target machine and connection through an HTTP proxy. This can be configured in the Tools -> Options -> Network menu of Core Impact. When connecting to the target system through an HTTP proxy, the module will only work against HTTPS websites, since the specially crafted ranges in plain HTTP requests sent by this module are usually rewritten by popular proxy software like Squid. When the memory disclosure is successfully exploited, the output will typically include parts of the requested file and parts of leaked memory contents, the latter being usually at the end of the received data.
CVE Link
Exploit Platform
Product Name