Nmap Development mailing list archives
Re: Get value in IncompleteRead exception
From: Vinamra Bhatia <vinamrabhatia8 () gmail com>
Date: Tue, 14 Mar 2017 03:17:37 +0530
Greetings All, So i spent my day figuring out the stuffs. I was wrong when i said that my response.status is 400 in case of vulnerable web path. I was getting a nil response when i was trying to do response.post with the specially configured payload. So, I tried to apply the patch sent by you and see if I can get the partial output, but I didnt. response.partial was still returning me nil. I tried going through http.lua code to see what can be done to do that but didnt succeed in that. I used WireShark to capture the TCP Stream to see what actually i was receiving. I am attaching the WireShark TCP Stream. As the response was broken(The vulnerabilty is such that we receive a broken response on this particular payload against vulnerable host and Content-Type was missing in response.header in TCPStream attached below), The http.post was only returning nil values. Anyways, a much cleaver idea has already been implemented in a script for the same issue. I still feel that there should be a way to return partial as it might make things easier in some cases and I will try to work on the same. Besides, I would love to work on some other vulnerability scripts. It would be great if you can direct me to a few. Thanks and regards Vinamra Bhatia CS Sophomore BITS Pilani On Mon, Mar 13, 2017 at 12:27 AM, nnposter <nnposter () users sourceforge net> wrote:
On 3/12/17 12:26 PM, Vinamra Bhatia wrote:Thanks a lot for the response., However, http.post returns a status code of 400. What i am trying to implement is given in a PoC here https://github.com/nixawk/labs/blob/master/CVE-2017-5638/exploit-urllib2.pyWhen i run a http.post request with the header as given in the PoC against a vulnerable apache struts2 web app set up on my localhost, i get the response.status as 400 and response.body as blank.The patch only work on incomplete response bodies. If in your case the response processing does not even reach that point then your best bet at this point might be to forego the http library and instead hand-roll the request. Cheers, nnposter
Attachment:
TCPStream
Description:
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Get value in IncompleteRead exception Vinamra Bhatia (Mar 12)
- Re: Get value in IncompleteRead exception nnposter (Mar 12)
- Re: Get value in IncompleteRead exception nnposter (Mar 12)
- Re: Get value in IncompleteRead exception Vinamra Bhatia (Mar 12)
- Re: Get value in IncompleteRead exception nnposter (Mar 12)
- Re: Get value in IncompleteRead exception Vinamra Bhatia (Mar 13)
- Re: Get value in IncompleteRead exception nnposter (Mar 13)
- Re: Get value in IncompleteRead exception Vinamra Bhatia (Mar 13)
- Re: Get value in IncompleteRead exception nnposter (Mar 17)
- Re: Get value in IncompleteRead exception nnposter (Mar 12)
- <Possible follow-ups>
- Re: Get value in IncompleteRead exception Varunram Ganesh (Mar 12)