diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-17 07:42:04 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-17 07:42:04 +0000 |
commit | 0d47952611198ef6b1163f366dc03922d20b1475 (patch) | |
tree | 3d840a3b8c0daef0754707bfb9f5e873b6b1ac13 /scripts/http-vuln-cve2015-1635.nse | |
parent | Initial commit. (diff) | |
download | nmap-0d47952611198ef6b1163f366dc03922d20b1475.tar.xz nmap-0d47952611198ef6b1163f366dc03922d20b1475.zip |
Adding upstream version 7.94+git20230807.3be01efb1+dfsg.upstream/7.94+git20230807.3be01efb1+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | scripts/http-vuln-cve2015-1635.nse | 86 |
1 files changed, 86 insertions, 0 deletions
diff --git a/scripts/http-vuln-cve2015-1635.nse b/scripts/http-vuln-cve2015-1635.nse new file mode 100644 index 0000000..23814e6 --- /dev/null +++ b/scripts/http-vuln-cve2015-1635.nse @@ -0,0 +1,86 @@ +local shortport = require "shortport" +local http = require "http" +local stdnse = require "stdnse" +local string = require "string" +local vulns = require "vulns" +local rand = require "rand" + +description = [[ +Checks for a remote code execution vulnerability (MS15-034) in Microsoft Windows systems (CVE2015-2015-1635). + +The script sends a specially crafted HTTP request with no impact on the system to detect this vulnerability. +The affected versions are Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, +and Windows Server 2012 R2. + +References: +* https://technet.microsoft.com/library/security/MS15-034 +]] + +--- +-- @usage nmap -sV --script vuln <target> +-- @usage nmap -p80 --script http-vuln-cve2015-1635.nse <target> +-- @usage nmap -sV --script http-vuln-cve2015-1635 --script-args uri='/anotheruri/' <target> +-- @output +-- PORT STATE SERVICE REASON +-- 80/tcp open http syn-ack +-- | http-vuln-cve2015-1635: +-- | VULNERABLE: +-- | Remote Code Execution in HTTP.sys (MS15-034) +-- | State: VULNERABLE (Exploitable) +-- | IDs: CVE:CVE-2015-1635 +-- | A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is +-- | caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who +-- | successfully exploited this vulnerability could execute arbitrary code in the context of the System account. +-- | +-- | Disclosure date: 2015-04-14 +-- | References: +-- | https://technet.microsoft.com/en-us/library/security/ms15-034.aspx +-- |_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635 +-- @args http-vuln-cve2015-1635.uri URI to use in request. Default: / +--- + +author = {"Kl0nEz", "Paulino <calderon()websec.mx>"} +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"vuln", "safe"} + +portrule = shortport.http + +local VULNERABLE = "Requested Range Not Satisfiable" +local PATCHED = "The request has an invalid header name" + +action = function(host, port) + local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/" + local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) + local vuln = { + title = 'Remote Code Execution in HTTP.sys (MS15-034)', + state = vulns.STATE.NOT_VULN, + description = [[ +A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is +caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who +successfully exploited this vulnerability could execute arbitrary code in the context of the System account. + ]], + IDS = {CVE = 'CVE-2015-1635'}, + references = { + 'https://technet.microsoft.com/en-us/library/security/ms15-034.aspx' + }, + dates = { + disclosure = {year = '2015', month = '04', day = '14'}, + } + } + local options = {header={}} + options['header']['Host'] = rand.random_alpha(8) + options['header']['Range'] = "bytes=0-18446744073709551615" + + local response = http.get(host, port, uri, options) + if response.status and response.body then + if response.status == 416 and string.find(response.body, VULNERABLE) ~= nil + and string.find(response.header["server"], "Microsoft") ~= nil then + vuln.state = vulns.STATE.VULN + end + if response.body and string.find(response.body, PATCHED) ~= nil then + stdnse.debug2("System is patched!") + vuln.state = vulns.STATE.NOT_VULN + end + end + return vuln_report:make_output(vuln) +end |