Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improvements on MS15-034 #15442

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 47 additions & 9 deletions w3af/plugins/infrastructure/ms15_034.py
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,13 @@

"""
import w3af.core.data.constants.severity as severity
import w3af.core.controllers.output_manager as om

from w3af.core.controllers.plugins.infrastructure_plugin import InfrastructurePlugin
from w3af.core.controllers.exceptions import BaseFrameworkException
from w3af.core.controllers.misc.decorators import runonce
from w3af.core.controllers.exceptions import RunOnce
from w3af.core.data.parsers import parser_cache
from w3af.core.data.dc.headers import Headers
from w3af.core.data.kb.vuln import Vuln

Expand All @@ -38,32 +41,67 @@ class ms15_034(InfrastructurePlugin):
def discover(self, fuzzable_request):
"""
Checks if the remote IIS is vulnerable to MS15-034

Request image files for better detection
"""
url = fuzzable_request.get_url()
headers = Headers([('Range', 'bytes=18-18446744073709551615')])

response = self._uri_opener.GET(url,
image_urls = self._get_images(fuzzable_request)

for url in image_urls:

headers = Headers([('Range', 'bytes=0-18446744073709551615')])

response = self._uri_opener.GET(url,
cache=False,
grep=False,
headers=headers)

if response.get_code() == 416:
desc = ('The target IIS web server is vulnerable to MS15-034 which'
if response.get_code() == 416:
desc = ('The target IIS web server is vulnerable to MS15-034 which'
' allows remote code execution due to a flaw in HTTP.sys')

v = Vuln('MS15-034', desc, severity.HIGH, response.id,
v = Vuln('MS15-034', desc, severity.HIGH, response.id,
self.get_name())
v.set_url(response.get_url())
v.set_url(response.get_url())

self.kb_append_uniq(self, 'ms15_034', v)

break

def _get_images(self, fuzzable_request):
"""
Get all img tags and retrieve the src list.

:param fuzzable_request: The request to modify
:return: A list with containing image sources
"""
res = []

try:
response = self._uri_opener.GET(fuzzable_request.get_uri(),
cache=False)
except:
om.out.debug('Failed to retrieve the page for finding image sources.')
else:
try:
document_parser = parser_cache.dpc.get_document_parser_for(response)
except BaseFrameworkException:
return []

image_path_list = document_parser.get_references_of_tag('img')

for path in image_path_list:
res.append(path)

self.kb_append_uniq(self, 'ms15_034', v)
return res

def get_long_desc(self):
"""
:return: A DETAILED description of the plugin functions and features.
"""
return """
Checks if the remote IIS is vulnerable to MS15-034 by sending one HTTP
request containing the `Range: bytes=18-18446744073709551615` header.
request containing the `Range: bytes=0-18446744073709551615` header.

Warning: In some strange scenarios this test can cause a Denial of
Service.
Expand Down