ms10-070_check.py

1. #!/usr/bin/env python
2. #
3. # PoC for checking if MS10-070 patch is applied by providing a .NET
4. # application ScriptResource or WebResource resource handler's 'd' block
5. #
6. # Credits go to:
7. #
8. # * Juliano Rizzo - for the amazing research and hints about the remote
9. # passive check
10. # <http://twitter.com/julianor/status/26419702099>
11. #
12. # * Brian Holyfield - for his tool to exploit Padding Oracle attacks in a
13. # generic and easy way
14. # <https://www.gdssecurity.com/l/t/d.php?k=PadBuster>
15. #
16. # * Giorgio Fedon - for initial Perl version of this check
17. # <http://blog.mindedsecurity.com/2010/09/investigating-net-padding-oracle.html>
18. #
19. # * Alejo Murillo Moya - for testing and ideas
20. #
21. #
22. # Copyright (c) 2010 Bernardo Damele A. G. <[email protected]>
23. #
24. #
25. # Example of unpatched system:
26. #
27. # * /WebResource.axd?d=kHoDoPikaYfoTe1m9Ol5iQ2
28. # * /ScriptResource.axd?d=2nYOzoKtRvjs-g53K3r7VKmEXeQl_XMNY8nDEwcgwGVcS5Z8b9GanbNdzIgg493kfB_oInMb2DtFFEy5e-ajqdwMbg1F96l10
29. #
30. # Examples of patched system:
31. #
32. # * /WebResource.axd?d=VHYaLecZ91Zjq-_4mV3ftpYrTteh9kHzk9zwLyjpAZAOjWL3nbx1SmIeGdHJwBu_koMj8ZGAqrtxCJkW0
33. # * /ScriptResource.axd?d=Gcb5Zt1XkIPHAYC3l5vZ4QidrZMKISjkqnMQRQDqRD88oxkWIL1kNBQThGrDJBbaKqPd9AyT-jF1EhM-rame5NXv7RLQRhtlz-xfoQlHXf_pjgiBJW7ntGxhegohUeNFlo9x8_RMU6ocDmwwK6dfIRDFbX01
34.  
35. import sys
36.  
37. def base64decode(string):
38. return string.decode("base64")
39.  
40. def hexdecode(string):
41. string = string.lower()
42.  
43. if string.startswith("0x"):
44. string = string[2:]
45.  
46. return string.decode("hex")
47.  
48. def hexencode(string):
49. return string.encode("hex")
50.  
51. def dotNetUrlTokenDecode(string):
52. """
53. Ported from padbuster v0.3 by Brian Holyfield:
54.  
55. sub web64Decode {
56. my ($input, $net) = @_;
57. # net: 0=No Padding Number, 1=Padding (NetUrlToken)
58. $input =~ s/\-/\+/g;
59. $input =~ s/\_/\//g;
60. if ($net == 1)
61. {
62. my $count = chop($input);
63. $input = $input.("=" x int($count));
64. }
65. return decode_base64($input);
66. }
67. """
68.  
69. string = string.replace("-", "+").replace("_", "/")
70. count = string[-1]
71.  
72. if count.isdigit():
73. string = string[:-1] + ("=" * int(count))
74.  
75. return base64decode(string)
76.  
77. def usage():
78. print """
79. Use:
80.  
81. ./ms10-070_check.py <encrypted_d_block>
82.  
83. Note:
84.  
85. Encrypted 'd' block MUST be from ScriptResource.axd or WebResource.axd.
86. Parse the application response body to find a valid one.
87.  
88. Examples:
89.  
90. With ScriptResource.axd 'd' block:
91. $ ./ms10-070_check.py 2nYOzoKtRvjs-g53K3r7VKmEXeQl_XMNY8nDEwcgwGVcS5Z8b9GanbNdzIgg493kfB_oInMb2DtFFEy5e-ajqdwMbg1F96l10
92. Your application is VULNERABLE, patch against MS10-070
93.  
94. With WebResource.axd 'd' block:
95. ./ms10-070_check.py VHYaLecZ91Zjq-_4mV3ftpYrTteh9kHzk9zwLyjpAZAOjWL3nbx1SmIeGdHJwBu_koMj8ZGAqrtxCJkW0
96. Your application is NOT vulnerable
97. """
98.  
99. def main():
100. if len(sys.argv) < 2:
101. usage()
102. sys.exit(1)
103.  
104. if (len(dotNetUrlTokenDecode(sys.argv[1])) % 8) == 0:
105. print "Your application is VULNERABLE, patch against MS10-070"
106. else:
107. print "Your application is NOT vulnerable"
108.  
109. if __name__ == '__main__':
110. main()