From 97bbb0f4fa579c2986c78c8a59c82314ab3c008d Mon Sep 17 00:00:00 2001
From: paulino <paulino@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Fri, 22 May 2015 04:23:50 +0000
Subject: [PATCH] Adds http-vuln-cve2015-1635 to detect Microsoft Windows
 systems vulnerable to MS15-034

---
 CHANGELOG                          |  3 ++
 scripts/http-vuln-cve2015-1635.nse | 85 ++++++++++++++++++++++++++++++
 scripts/script.db                  |  2 +
 3 files changed, 90 insertions(+)
 create mode 100644 scripts/http-vuln-cve2015-1635.nse

diff --git a/CHANGELOG b/CHANGELOG
index 14174423a..71130a926 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,8 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE] Added http-vuln-cve2015-1635 to detect Microsoft Windows systems 
+  vulnerable to MS15-034. [Paulino Calderon]
+
 o [NSE] Make smb-ls able to leverage results from smb-enum-shares or list of
   shares specified on command line. [Pierre Lalet]
 
diff --git a/scripts/http-vuln-cve2015-1635.nse b/scripts/http-vuln-cve2015-1635.nse
new file mode 100644
index 000000000..8fcec54e6
--- /dev/null
+++ b/scripts/http-vuln-cve2015-1635.nse
@@ -0,0 +1,85 @@
+local shortport = require "shortport"
+local http = require "http"
+local stdnse = require "stdnse"
+local string = require "string"
+local vulns = require "vulns"
+
+description = [[
+Checks for a remote code execution vulnerability (MS15-034) in Microsoft Windows systems (CVE2015-2015-1635).
+
+The script sends a specially crafted HTTP request with no impact on the system to detect this vulnerability. 
+The affected versions are Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, 
+and Windows Server 2012 R2.
+
+References:
+* https://technet.microsoft.com/library/security/MS15-034
+]]
+
+---
+-- @usage nmap -sV --script vuln <target>
+-- @usage nmap -p80 --script http-vuln-cve2015-1635.nse <target>
+-- @usage nmap -sV --script http-vuln-cve2015-1635 --script-args uri='/anotheruri/' <target>
+-- @output
+-- PORT   STATE SERVICE REASON
+-- 80/tcp open  http    syn-ack
+-- | http-vuln-cve2015-1635: 
+-- |   VULNERABLE:
+-- |   Remote Code Execution in HTTP.sys (MS15-034)
+-- |     State: VULNERABLE (Exploitable)
+-- |     IDs:  CVE:CVE-2015-1635
+-- |       A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is 
+-- |       caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who 
+-- |       successfully exploited this vulnerability could execute arbitrary code in the context of the System account.
+-- |           
+-- |     Disclosure date: 2015-04-14
+-- |     References:
+-- |       https://technet.microsoft.com/en-us/library/security/ms15-034.aspx
+-- |_      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635
+-- @args http-vuln-cve2015-1635.uri URI to use in request. Default: /
+---
+
+author = {"Kl0nEz", "Paulino <calderon()websec.mx>"}
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"vuln", "safe"}
+
+portrule = shortport.http
+
+local VULNERABLE = "Requested Range Not Satisfiable"
+local PATCHED = "The request has an invalid header name"
+
+action = function(host, port)
+  local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/"
+  local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
+  local vuln = {
+    title = 'Remote Code Execution in HTTP.sys (MS15-034)',
+    state = vulns.STATE.NOT_VULN, 
+    description = [[
+A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is 
+caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who 
+successfully exploited this vulnerability could execute arbitrary code in the context of the System account.
+    ]],
+    IDS = {CVE = 'CVE-2015-1635'},
+    references = {
+      'https://technet.microsoft.com/en-us/library/security/ms15-034.aspx'
+    },
+    dates = {
+      disclosure = {year = '2015', month = '04', day = '14'},
+    }
+  }
+  local options = {header={}}
+  options['header']['Host'] = stdnse.generate_random_string(8)
+  options['header']['Range'] = "bytes=0-18446744073709551615"
+
+  local response = http.get(host, port, uri, options)
+  if response.status and response.body then
+    if response.status == 416 and string.find(response.body, VULNERABLE) ~= nil
+    and string.find(response.header["server"], "Microsoft") ~= nil then
+      vuln.state = vulns.STATE.VULN
+    end
+    if response.body and string.find(response.body, PATCHED) ~= nil then
+      stdnse.debug2("System is patched!")
+      vuln.state = vulns.STATE.NOT_VULN
+    end
+  end
+  return vuln_report:make_output(vuln)
+end
diff --git a/scripts/script.db b/scripts/script.db
index b7dd0ac6d..7eef11a22 100644
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -236,6 +236,8 @@ Entry { filename = "http-vuln-cve2014-2126.nse", categories = { "safe", "vuln",
 Entry { filename = "http-vuln-cve2014-2127.nse", categories = { "safe", "vuln", } }
 Entry { filename = "http-vuln-cve2014-2128.nse", categories = { "safe", "vuln", } }
 Entry { filename = "http-vuln-cve2014-2129.nse", categories = { "safe", "vuln", } }
+Entry { filename = "http-vuln-cve2015-1427.nse", categories = { "intrusive", "vuln", } }
+Entry { filename = "http-vuln-cve2015-1635.nse", categories = { "safe", "vuln", } }
 Entry { filename = "http-vuln-wnr1000-creds.nse", categories = { "exploit", "intrusive", "vuln", } }
 Entry { filename = "http-waf-detect.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "http-waf-fingerprint.nse", categories = { "discovery", "intrusive", } }