Nmap Development mailing list archives
Re: [NSE] Script to detect remote code execution in Microsoft Windows systems (MS15-034)
From: Paulino Calderon Pale <paulino () calderonpale com>
Date: Thu, 21 May 2015 23:32:08 -0500
Hey, I finally got around to test and update this script. I added a check to only match systems with Microsoft banners to reduce the numbers of false positives from Nginx boxes: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/6.x/http-vuln-cve2015-1635.nse <https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/6.x/http-vuln-cve2015-1635.nse> Needless to say there are still a lot of vulnerable boxes out there. I’ve committed the script in r34508. =)
On May 4, 2015, at 11:32 AM, Paulino Calderon Pale <paulino () calderonpale com> wrote: Hi list, Did anyone have a chance to test this? Someone suggested to use the status code to detect more instances: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/6.x/http-vuln-cve2015-1635.nse <https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/6.x/http-vuln-cve2015-1635.nse> It worked correctly against the vulnerable instances I had access to but I’d like to wait before committing to see if anyone else have more information that will help the script improve its effectiveness. Cheers.On Apr 15, 2015, at 3:00 PM, Paulino Calderon Pale <paulino () calderonpale com <mailto:paulino () calderonpale com>> wrote: Hi list, I came across this (http://pastebin.com/HeBDTenr <http://pastebin.com/HeBDTenr>) =) -- PORT STATE SERVICE REASON -- 80/tcp open http syn-ack -- | http-vuln-cve2015-1635: -- | VULNERABLE: -- | Remote Code Execution in HTTP.sys (MS15-034) -- | State: VULNERABLE (Exploitable) -- | IDs: CVE:CVE-2015-1635 -- | A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is -- | caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who -- | successfully exploited this vulnerability could execute arbitrary code in the context of the System account. -- | -- | Disclosure date: 2015-04-14 -- | References: -- | https://technet.microsoft.com/en-us/library/security/ms15-034.aspx <https://technet.microsoft.com/en-us/library/security/ms15-034.aspx> -- |_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635> Script: https://github.com/cldrn/nmap/blob/master/scripts/http-vuln-cve2015-1635.nse <https://github.com/cldrn/nmap/blob/master/scripts/http-vuln-cve2015-1635.nse>
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Script to detect remote code execution in Microsoft Windows systems (MS15-034) Paulino Calderon Pale (Apr 15)
- Re: [NSE] Script to detect remote code execution in Microsoft Windows systems (MS15-034) Paulino Calderon Pale (May 04)
- Re: [NSE] Script to detect remote code execution in Microsoft Windows systems (MS15-034) Paulino Calderon Pale (May 21)
- Re: [NSE] Script to detect remote code execution in Microsoft Windows systems (MS15-034) Paulino Calderon Pale (May 04)