Lucene search

K
nmapSeth JacksonNMAP:HTTP-VULN-CVE2017-5638.NSE
HistoryMar 10, 2017 - 5:53 p.m.

http-vuln-cve2017-5638 NSE Script

2017-03-1017:53:45
Seth Jackson
nmap.org
2249

EPSS

0.975

Percentile

100.0%

Detects whether the specified URL is vulnerable to the Apache Struts Remote Code Execution Vulnerability (CVE-2017-5638).

Script Arguments

http-vuln-cve2017-5638.path

The URL path to request. The default path is “/”.

http-vuln-cve2017-5638.method

The HTTP method for the request. The default method is “GET”.

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

nmap -p <port> --script http-vuln-cve2017-5638 <target>

Script Output

PORT    STATE SERVICE
80/tcp  open  http
| http-vuln-cve2017-5638:
|   VULNERABLE
|   Apache Struts Remote Code Execution Vulnerability
|     State: VULNERABLE
|     IDs:  CVE:CVE-2017-5638
|
|     Disclosure date: 2017-03-07
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
|       https://cwiki.apache.org/confluence/display/WW/S2-045
|_      http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html

Requires


description = [[
Detects whether the specified URL is vulnerable to the Apache Struts
Remote Code Execution Vulnerability (CVE-2017-5638).
]]

local http = require "http"
local shortport = require "shortport"
local vulns = require "vulns"
local stdnse = require "stdnse"
local string = require "string"
local rand = require "rand"

---
-- @usage
-- nmap -p <port> --script http-vuln-cve2017-5638 <target>
--
-- @output
-- PORT    STATE SERVICE
-- 80/tcp  open  http
-- | http-vuln-cve2017-5638:
-- |   VULNERABLE
-- |   Apache Struts Remote Code Execution Vulnerability
-- |     State: VULNERABLE
-- |     IDs:  CVE:CVE-2017-5638
-- |
-- |     Disclosure date: 2017-03-07
-- |     References:
-- |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
-- |       https://cwiki.apache.org/confluence/display/WW/S2-045
-- |_      http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html
--
-- @args http-vuln-cve2017-5638.method The HTTP method for the request. The default method is "GET".
-- @args http-vuln-cve2017-5638.path The URL path to request. The default path is "/".

author = "Seth Jackson"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = { "vuln" }

portrule = shortport.http

action = function(host, port)
  local vuln = {
    title = "Apache Struts Remote Code Execution Vulnerability",
    state = vulns.STATE.NOT_VULN,
    description = [[
Apache Struts 2.3.5 - Struts 2.3.31 and Apache Struts 2.5 - Struts 2.5.10 are vulnerable to a Remote Code Execution
vulnerability via the Content-Type header.
    ]],
    IDS = {
        CVE = "CVE-2017-5638"
    },
    references = {
        'https://cwiki.apache.org/confluence/display/WW/S2-045',
        'http://blog.talosintelligence.com/2017/03/apache-0-day-exploited.html'
    },
    dates = {
        disclosure = { year = '2017', month = '03', day = '07' }
    }
  }

  local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)

  local method = stdnse.get_script_args(SCRIPT_NAME..".method") or "GET"
  local path = stdnse.get_script_args(SCRIPT_NAME..".path") or "/"
  local value = rand.random_alpha(8)

  local header = {
    ["Content-Type"] = string.format("%%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse'].addHeader('X-Check-Struts', '%s')}.multipart/form-data", value)
  }

  local response = http.generic_request(host, port, method, path, { header = header })

  if response and response.status == 200 and response.header["x-check-struts"] == value then
    vuln.state = vulns.STATE.VULN
  end

  return vuln_report:make_output(vuln)
end

EPSS

0.975

Percentile

100.0%

Related for NMAP:HTTP-VULN-CVE2017-5638.NSE