STRLCPY/CVE-2022-22965

Add files via upload
alt3kx committed with GitHub 2 years ago

e608ad41

1 parent 14cdb21c

Total 1 files

■ ■ ■ ■ ■ ■

CVE-2022-22965.nse

1	+	description = [[
2	+	Spring Framework 5.2.x / 5.3.x CVE-2022-22965 Remote Code Execution Vulnerability
3	+
4	+	This script looks the existence of CVE-2022-22965 Spring Framework 5.2.x / 5.3.x RCE
5	+	uses a payload "/?class.module.classLoader.URLs%5B0%5D=0" through a GET request
6	+	looking (400) code as response (NON INTRUSIVE)
7	+
8	+	Inspired by:
9	+
10	+	@Twitter thread
11	+	https://twitter.com/RandoriAttack/status/1509298490106593283
12	+
13	+	@ZAP Scan Rule
14	+	https://www.zaproxy.org/blog/2022-04-04-spring4shell-detection-with-zap/
15	+
16	+	Manual inspection:
17	+
18	+	# curl -i -s -k -X $'GET'
19	+	-H $'Host: <target>'
20	+	-H $'User-Agent: alex666'
21	+	-H $'Connection: close'
22	+	$'https://<target>/path/foo/?class.module.classLoader.URLs%5B0%5D=0' \| grep -i 400
23	+
24	+	# curl -i -s -k -X $'GET'
25	+	-H $'Host: <target>'
26	+	-H $'User-Agent: alex666'
27	+	-H $'Connection: close'
28	+	$'https://<target>/path/foo/?class.module.classLoader.DefaultAssertionStatus=nosense' \| grep -i 400
29	+
30	+	References:
31	+	https://github.com/alt3kx/CVE-2022-22965
32	+	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965
33	+	https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities
34	+	https://github.com/BobTheShoplifter/Spring4Shell-POC
35	+	https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
36	+	https://www.rapid7.com/blog/post/2022/03/30/spring4shell-zero-day-vulnerability-in-spring-framework
37	+	]]
38	+
39	+	---
40	+	-- @usage
41	+	-- nmap -p <port> --script=./CVE-2022-22965.nse <target>
42	+	--
43	+	-- @examples:
44	+	-- nmap -p443,8080 --script=./CVE-2022-22965.nse <target> -Pn
45	+	-- nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args=CVE-2022-22965.uri="/..;/" -Pn
46	+	-- nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args=CVE-2022-22965.uri="/path/foo/" -Pn
47	+	-- nmap -p443,8080 --script=./CVE-2022-22965.nse <target> --script-args=CVE-2022-22965.uri="/path/foo/download/" -Pn --script-trace \| more
48	+	-- nmap -p443,8080 --script=./CVE-2022-22965.nse --script-args=CVE-2022-22965.uri="/examples/" -Pn -iL targets.txt
49	+	--
50	+	-- @output
51	+	-- PORT STATE SERVICE
52	+	-- 443/tcp open https
53	+	-- \| CVE-2022-22965:
54	+	-- \| VULNERABLE:
55	+	-- \| Spring Framework 5.2.x 5.3.x RCE
56	+	-- \| State: VULNERABLE (Exploitable)
57	+	-- \| IDs: CVE:CVE-2022-22965
58	+	-- \| Within Spring Core, A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable
59	+	-- \| to remote code execution (RCE) via data binding.
60	+	-- \| Disclosure date: 2022-03-31
61	+	-- \| References:
62	+	-- \|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965
63	+
64	+
65	+	author = "Alex Hernandez aka alt3kx <[email protected]>"
66	+	license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
67	+	categories = {"vuln", "exploit"}
68	+
69	+	local shortport = require "shortport"
70	+	local http = require "http"
71	+	local stdnse = require "stdnse"
72	+	local string = require "string"
73	+	local vulns = require "vulns"
74	+
75	+	portrule = shortport.http
76	+
77	+	local S4S1 = "Tomcat"
78	+	local S4S2 = "springframework"
79	+	local S4S3 = "Tomcat"
80	+	local S4S4 = "Tomcat"
81	+
82	+	--Payloads:
83	+	--GET checker path2 = "/?class.module.classLoader.DefaultAssertionStatus=nosense"
84	+	--GET checker path1 = "/?class.module.classLoader.URLs%5B0%5D=0"
85	+	local S4S_CHECKER_URI = "/?class.module.classLoader.URLs%5B0%5D=0"
86	+
87	+	action = function(host, port)
88	+
89	+	local vuln = {
90	+	title = "Spring Framework 5.2.x 5.3.x RCE",
91	+	state = vulns.STATE.NOT_VULN,
92	+	IDS = { CVE = 'CVE-2022-22965' },
93	+	description = [[
94	+	Within Spring Core, A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable
95	+	to remote code execution (RCE) via data binding.]],
96	+
97	+	references = {
98	+	'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965'
99	+	},
100	+	dates = {
101	+	disclosure = {year = '2022', month = '03', day = '31'},
102	+	},
103	+
104	+	}
105	+
106	+	local report = vulns.Report:new(SCRIPT_NAME, host, port)
107	+
108	+	uri = stdnse.get_script_args("CVE-2022-22965.uri") or S4S_CHECKER_URI
109	+	evil_uri = uri..S4S_CHECKER_URI
110	+
111	+	local options = {header={}}
112	+
113	+	options['header']['User-Agent'] = "Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0"
114	+
115	+	local response = http.get(host, port, evil_uri, { header = { ["Content-Type"] = "application/x-www-form-urlencoded"}})
116	+
117	+	if response.status and response.body then
118	+
119	+	if response.status == 400 and string.find(response.body, S4S1) ~= nil then
120	+	stdnse.debug2("Apache Tomcat Spring Framework 5.2.x / 5.3.x returned 400")
121	+	vuln.state = vulns.STATE.EXPLOIT
122	+	end
123	+	--500 Internal Server Error , Spring Framework 5.2.x / 5.3.x Exceptions
124	+	if response.status == 500 and string.find(response.body, S4S2) ~= nil then
125	+	stdnse.debug2("Apache Tomcat Spring Framework 5.2.x / 5.3.x returned 500")
126	+	vuln.state = vulns.STATE.EXPLOIT
127	+	end
128	+
129	+	if response.status == 200 and string.find(response.body, S4S3) ~= nil then
130	+
131	+	stdnse.debug2("Apache Tomcat Spring Framework 5.2.x / 5.3.x returned 200")
132	+	vuln.state = vulns.STATE.NOT_VULN
133	+	end
134	+
135	+	if response.status == 404 and string.find(response.body, S4S4) ~= nil then
136	+
137	+	stdnse.debug2("Apache Tomcat Spring Framework 5.2.x / 5.3.x returned 404")
138	+	vuln.state = vulns.STATE.NOT_VULN
139	+	end
140	+
141	+	else
142	+	stdnse.debug2("Apache Tomcat Spring Framework 5.2.x / 5.3.x returned unknow response.")
143	+	vuln.state = vulns.STATE.UNKNOWN
144	+	end
145	+	return report:make_output (vuln)
146	+	end
147	+
148	+

Add files via upload