Kl0nEz, Paulino <calderon()websec.mx>NMAP:HTTP-VULN-CVE2015-1635.NSEhttp-vuln-cve2015-1635 NSE Script
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%
Checks for a remote code execution vulnerability (MS15-034) in Microsoft Windows systems (CVE2015-2015-1635).
The script sends a specially crafted HTTP request with no impact on the system to detect this vulnerability. The affected versions are Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, and Windows Server 2012 R2.
References:
Script Arguments
http-vuln-cve2015-1635.uri
URI to use in request. Default: /
slaxml.debug
See the documentation for the slaxml library.
http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent
See the documentation for the http library.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername
See the documentation for the smbauth library.
vulns.short, vulns.showall
See the documentation for the vulns library.
Example Usage
-
nmap -sV --script vuln <target> -
nmap -p80 --script http-vuln-cve2015-1635.nse <target> -
nmap -sV --script http-vuln-cve2015-1635 --script-args uri='/anotheruri/' <target>
Script Output
PORT STATE SERVICE REASON
80/tcp open http syn-ack
| http-vuln-cve2015-1635:
| VULNERABLE:
| Remote Code Execution in HTTP.sys (MS15-034)
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2015-1635
| A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is
| caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who
| successfully exploited this vulnerability could execute arbitrary code in the context of the System account.
|
| Disclosure date: 2015-04-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms15-034.aspx
|_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635
Requires
local shortport = require "shortport"
local http = require "http"
local stdnse = require "stdnse"
local string = require "string"
local vulns = require "vulns"
local rand = require "rand"
description = [[
Checks for a remote code execution vulnerability (MS15-034) in Microsoft Windows systems (CVE2015-2015-1635).
The script sends a specially crafted HTTP request with no impact on the system to detect this vulnerability.
The affected versions are Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1,
and Windows Server 2012 R2.
References:
* https://technet.microsoft.com/library/security/MS15-034
]]
---
-- @usage nmap -sV --script vuln <target>
-- @usage nmap -p80 --script http-vuln-cve2015-1635.nse <target>
-- @usage nmap -sV --script http-vuln-cve2015-1635 --script-args uri='/anotheruri/' <target>
-- @output
-- PORT STATE SERVICE REASON
-- 80/tcp open http syn-ack
-- | http-vuln-cve2015-1635:
-- | VULNERABLE:
-- | Remote Code Execution in HTTP.sys (MS15-034)
-- | State: VULNERABLE (Exploitable)
-- | IDs: CVE:CVE-2015-1635
-- | A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is
-- | caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who
-- | successfully exploited this vulnerability could execute arbitrary code in the context of the System account.
-- |
-- | Disclosure date: 2015-04-14
-- | References:
-- | https://technet.microsoft.com/en-us/library/security/ms15-034.aspx
-- |_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635
-- @args http-vuln-cve2015-1635.uri URI to use in request. Default: /
---
author = {"Kl0nEz", "Paulino <calderon()websec.mx>"}
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "safe"}
portrule = shortport.http
local VULNERABLE = "Requested Range Not Satisfiable"
local PATCHED = "The request has an invalid header name"
action = function(host, port)
local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/"
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
local vuln = {
title = 'Remote Code Execution in HTTP.sys (MS15-034)',
state = vulns.STATE.NOT_VULN,
description = [[
A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is
caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who
successfully exploited this vulnerability could execute arbitrary code in the context of the System account.
]],
IDS = {CVE = 'CVE-2015-1635'},
references = {
'https://technet.microsoft.com/en-us/library/security/ms15-034.aspx'
},
dates = {
disclosure = {year = '2015', month = '04', day = '14'},
}
}
local options = {header={}}
options['header']['Host'] = rand.random_alpha(8)
options['header']['Range'] = "bytes=0-18446744073709551615"
local response = http.get(host, port, uri, options)
if response.status and response.body then
if response.status == 416 and string.find(response.body, VULNERABLE) ~= nil
and string.find(response.header["server"], "Microsoft") ~= nil then
vuln.state = vulns.STATE.VULN
end
if response.body and string.find(response.body, PATCHED) ~= nil then
stdnse.debug2("System is patched!")
vuln.state = vulns.STATE.NOT_VULN
end
end
return vuln_report:make_output(vuln)
end
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%