From afc3d2059c53b6e7ef57a2c1895b8f39bac2cb68 Mon Sep 17 00:00:00 2001
From: henri <henri@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Mon, 29 Aug 2011 21:42:57 +0000
Subject: [PATCH] Added http-vuln-cve2011-3192.nse from Duarte Silva.

---
 CHANGELOG                          |  3 +
 scripts/http-vuln-cve2011-3192.nse | 94 ++++++++++++++++++++++++++++++
 scripts/script.db                  |  1 +
 3 files changed, 98 insertions(+)
 create mode 100644 scripts/http-vuln-cve2011-3192.nse

diff --git a/CHANGELOG b/CHANGELOG
index 0bbcf55a4..28d717845 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,8 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE] Added new script http-vuln-cve2011-3192 which checks whether an instance
+  of Apache is vulnerable to a DoS attack exploiting the byterange filter. [Duarte Silva].
+
 o [NSE] Fixed authentication problems in the TNS library that would prevent
   authentication from working against Oracle 11.2.0.2.0 XE [Chris Woodbury]
 
diff --git a/scripts/http-vuln-cve2011-3192.nse b/scripts/http-vuln-cve2011-3192.nse
new file mode 100644
index 000000000..d9bca2a31
--- /dev/null
+++ b/scripts/http-vuln-cve2011-3192.nse
@@ -0,0 +1,94 @@
+description = [[
+This script will check for a denial of service vulnerability that has been
+found in the way the multiple overlapping/simple ranges are handled.
+
+References:
+* http://seclists.org/fulldisclosure/2011/Aug/175
+* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
+* http://nessus.org/plugins/index.php?view=single&id=55976
+]]
+
+---
+-- @usage
+-- nmap --script http-vuln-cve2011-3192.nse [--script-args http-vuln-cve2011-3192.hostname=nmap.scanme.org] -pT:80,443 <host>
+--
+-- @output
+-- Host script results:
+-- | http-vuln-cve2011-3192:
+-- |_ Apache byterange filter DoS: VULNERABLE
+--
+-- @args http-vuln-cve2011-3192.hostname  Define the host name to be used in the HEAD request sent to the server
+-- @args http-vuln-cve2011-3192.path  Define the request path
+--
+-- changelog
+-- 2011-08-29 Duarte Silva <duarte.silva@serializing.me>
+--   - Removed the "Accept-Encoding" HTTP header
+--   - Removed response header printing
+--   * Changes based on Henri Doreau and David Fifield sugestions
+-- 2011-08-20 Duarte Silva <duarte.silva@serializing.me>
+--   * First version ;)
+-----------------------------------------------------------------------
+
+author = "Duarte Silva <duarte.silva@serializing.me>"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"vuln", "safe", "default"}
+
+require "shortport"
+require "http"
+
+portrule =  shortport.http
+
+action = function(host, port)
+    local hostname, path = stdnse.get_script_args('http-vuln-cve2011-3192.hostname',
+        'http-vuln-cve2011-3192.path')
+
+    if not path then
+        path = '/'
+
+        stdnse.print_debug(1, "Setting the request path to '/' since 'http-vuln-cve2011-3192.path' argument is missing.")
+    end
+
+    -- This first request will try to get a code 206 reply from the server by
+    -- sending the innocuous header "Range: byte=0-100" in order to detect
+    -- whether this functionality is available or not.
+    local request_opts = {
+        header = {
+            Range = "bytes=0-100",
+            Connection = "close"
+        },
+        bypass_cache = true
+    }
+
+    if hostname then
+        request_opts.header.Host = hostname
+    end
+
+    local response = http.head(host, port, path, request_opts)
+
+    if not response.status then
+        stdnse.print_debug(1, "%s: Functionality check HEAD request failed for %s (with path '%s').",
+            SCRIPT_NAME, hostname or host.ip, path)
+    elseif response.status == 206 then
+        -- The server handle range requests. Now try to request 11 ranges (one more
+        -- than allowed).
+        -- Vulnerable servers will reply with another code 206 response. Patched
+        -- ones will return a code 200.
+        request_opts.header.Range = "bytes=0-0,1-1,2-2,3-3,4-4,5-5,6-6,7-7,8-8,9-9,10-10"
+
+        response = http.head(host, port, path, request_opts)
+
+        if not response.status then
+            stdnse.print_debug(1, "%s: Invalid response from server to the vulnerability check",
+                SCRIPT_NAME)
+        elseif response.status == 206 then
+            return stdnse.format_output(true, "Apache byterange filter DoS: VULNERABLE")
+        else
+            stdnse.print_debug(1, "%s: Server isn't vulnerable (%i status code)",
+                SCRIPT_NAME, response.status)
+        end
+    else
+        stdnse.print_debug(1, "%s: Server ignores the range header (%i status code)",
+            SCRIPT_NAME, response.status)
+    end
+end
+
diff --git a/scripts/script.db b/scripts/script.db
index 291998678..34f86fb96 100644
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -98,6 +98,7 @@ Entry { filename = "http-trace.nse", categories = { "discovery", "safe", "vuln",
 Entry { filename = "http-userdir-enum.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "http-vhosts.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "http-vmware-path-vuln.nse", categories = { "default", "safe", "vuln", } }
+Entry { filename = "http-vuln-cve2011-3192.nse", categories = { "default", "safe", "vuln", } }
 Entry { filename = "http-waf-detect.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "http-wordpress-brute.nse", categories = { "auth", "intrusive", } }
 Entry { filename = "http-wp-enum.nse", categories = { "auth", "discovery", "intrusive", "vuln", } }