Re: [NSE] http-vuln-cve2015-1427 Remote Code Execution in Elastic Search

[Gyanendra Mishra <anomaly.the () gmail com>]

Hi,

Thanks for your help!

On Sat, Mar 14, 2015 at 1:04 AM, Daniel Miller <bonsaiviking () gmail com>
wrote:

> So what is left? I don't like how we don't give any output if we can't
> create the new index. We should either:
>
> 1. create the index as needed without a script-arg (I don't like this
> option), or
> 2. Check the version number (GET / => response.version.number) and set
> LIKELY_VULN if it matches "1.3.[0-7]" or "1.4.[0-2]". Then proceed to
> exploit regardless of version reported and set EXPLOITED if that succeeds.
> Only return nil if it's not Elasticsearch at all.

I too found option 2 better. I implemented the same in the attached script.
Now the script checks for the version, if a vulnerable version is found
then it sets vuln_table.state to LIKELY_VULN along with updating the port
version. The report table is returned instead of nil in most places now.

Gyanendra

Attachment: http-vuln-cve2015-1427.nse
Description:

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/