From 0d47952611198ef6b1163f366dc03922d20b1475 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Wed, 17 Apr 2024 09:42:04 +0200 Subject: Adding upstream version 7.94+git20230807.3be01efb1+dfsg. Signed-off-by: Daniel Baumann --- scripts/http-vuln-cve2015-1635.nse | 86 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 scripts/http-vuln-cve2015-1635.nse (limited to 'scripts/http-vuln-cve2015-1635.nse') diff --git a/scripts/http-vuln-cve2015-1635.nse b/scripts/http-vuln-cve2015-1635.nse new file mode 100644 index 0000000..23814e6 --- /dev/null +++ b/scripts/http-vuln-cve2015-1635.nse @@ -0,0 +1,86 @@ +local shortport = require "shortport" +local http = require "http" +local stdnse = require "stdnse" +local string = require "string" +local vulns = require "vulns" +local rand = require "rand" + +description = [[ +Checks for a remote code execution vulnerability (MS15-034) in Microsoft Windows systems (CVE2015-2015-1635). + +The script sends a specially crafted HTTP request with no impact on the system to detect this vulnerability. +The affected versions are Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, +and Windows Server 2012 R2. + +References: +* https://technet.microsoft.com/library/security/MS15-034 +]] + +--- +-- @usage nmap -sV --script vuln +-- @usage nmap -p80 --script http-vuln-cve2015-1635.nse +-- @usage nmap -sV --script http-vuln-cve2015-1635 --script-args uri='/anotheruri/' +-- @output +-- PORT STATE SERVICE REASON +-- 80/tcp open http syn-ack +-- | http-vuln-cve2015-1635: +-- | VULNERABLE: +-- | Remote Code Execution in HTTP.sys (MS15-034) +-- | State: VULNERABLE (Exploitable) +-- | IDs: CVE:CVE-2015-1635 +-- | A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is +-- | caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who +-- | successfully exploited this vulnerability could execute arbitrary code in the context of the System account. +-- | +-- | Disclosure date: 2015-04-14 +-- | References: +-- | https://technet.microsoft.com/en-us/library/security/ms15-034.aspx +-- |_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635 +-- @args http-vuln-cve2015-1635.uri URI to use in request. Default: / +--- + +author = {"Kl0nEz", "Paulino "} +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"vuln", "safe"} + +portrule = shortport.http + +local VULNERABLE = "Requested Range Not Satisfiable" +local PATCHED = "The request has an invalid header name" + +action = function(host, port) + local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/" + local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port) + local vuln = { + title = 'Remote Code Execution in HTTP.sys (MS15-034)', + state = vulns.STATE.NOT_VULN, + description = [[ +A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is +caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who +successfully exploited this vulnerability could execute arbitrary code in the context of the System account. + ]], + IDS = {CVE = 'CVE-2015-1635'}, + references = { + 'https://technet.microsoft.com/en-us/library/security/ms15-034.aspx' + }, + dates = { + disclosure = {year = '2015', month = '04', day = '14'}, + } + } + local options = {header={}} + options['header']['Host'] = rand.random_alpha(8) + options['header']['Range'] = "bytes=0-18446744073709551615" + + local response = http.get(host, port, uri, options) + if response.status and response.body then + if response.status == 416 and string.find(response.body, VULNERABLE) ~= nil + and string.find(response.header["server"], "Microsoft") ~= nil then + vuln.state = vulns.STATE.VULN + end + if response.body and string.find(response.body, PATCHED) ~= nil then + stdnse.debug2("System is patched!") + vuln.state = vulns.STATE.NOT_VULN + end + end + return vuln_report:make_output(vuln) +end -- cgit v1.2.3