Added CVE-2015-1635

[PhillipoTF2]

Template / PR Information

• Added CVE-2015-1635
• References:
  • https://www.exploit-db.com/exploits/36773
  • https://www.securitysift.com/an-analysis-of-ms15-034/

Template Validation

I've validated this template locally?

• YES
• NO

Additional Details (leave it blank if not applicable)

This is a working template for CVE-2015-1635. I am aware that there was a previous PR for CVE-2015-1635 that was rejected for an insufficient matching condition. I believe that this template should be sufficient. You may notice that I opt to match on the words "HTTP ERROR 416" rather than a status code, this is because during testing I was unable to get it to match on the status code on some versions of Windows Server. If you have any suggested changes it will be great to hear from you :)

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server

[olearycrew]

Thanks for this contribution @PhillipoTF2

[ritikchaddha]

Hello @PhillipoTF2, thank you so much for sharing this template with the community and contributing to this project 🍻
We have tried validating this template but have not had any luck. Could you help us with the debug data to validate this template?

[PhillipoTF2]

Hello @PhillipoTF2, thank you so much for sharing this template with the community and contributing to this project 🍻 We have tried validating this template but have not had any luck. Could you help us with the debug data to validate this template?

Hey,
Apologies for the delayed reply. I will be happy to do any debugging on this. I was aware of some previous issues with this template when tested against some versions of Windows Server (I believe 2012 R2 presented some issues with matching against the Status code). Give me around a week or two and I will test this further and make the required changes.

[PhillipoTF2]

Quick update:
I have ran this template on Windows server 2008 R2 and Windows Server 2012 R2. Here are the results:

-------------------------------------
Windows Server 2008 R2 [VULNERABLE]
-------------------------------------

[INF] [CVE-2015-1635] Dumped HTTP request for http://192.168.69.3

GET / HTTP/1.1
Host: 192.168.69.3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Range: bytes=0-18446744073709551615

[DBG] [CVE-2015-1635] Dumped HTTP response http://192.168.69.3

HTTP/1.1 416 Requested Range Not Satisfiable
Connection: close
Content-Length: 362
Accept-Ranges: bytes
Content-Range: bytes */689
Content-Type: text/html
Date: Thu, 22 Feb 2024 13:50:43 GMT
Etag: "402eded61eda1:0"
Last-Modified: Thu, 23 Nov 2023 12:16:45 GMT
Server: Microsoft-IIS/7.5

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Requested Range Not Satisfiable</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Requested Range Not Satisfiable</h2>
<hr><p>HTTP Error 416. The requested range is not satisfiable.</p>
</BODY></HTML>
[CVE-2015-1635:word-1] [http] [critical] http://192.168.69.3


----------------------------------
Windows Server 2008 R2 [PATCHED]
----------------------------------

[INF] [CVE-2015-1635] Dumped HTTP request for http://192.168.69.2

GET / HTTP/1.1
Host: 192.168.69.2
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Range: bytes=0-18446744073709551615

[DBG] [CVE-2015-1635] Dumped HTTP response http://192.168.69.2

HTTP/1.1 400 Bad Request
Connection: close
Content-Length: 339
Content-Type: text/html; charset=us-ascii
Date: Thu, 22 Feb 2024 13:46:11 GMT
Server: Microsoft-HTTPAPI/2.0

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Bad Request</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Bad Request - Invalid Header</h2>
<hr><p>HTTP Error 400. The request has an invalid header name.</p>
</BODY></HTML>
[INF] No results found. Better luck next time!


-------------------------------------
Windows Server 2012 R2 [VULNERABLE]
-------------------------------------

[INF] [CVE-2015-1635] Dumped HTTP request for http://192.168.1.74

GET / HTTP/1.1
Host: 192.168.1.74
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Range: bytes=0-18446744073709551615

[DBG] [CVE-2015-1635] Dumped HTTP response http://192.168.1.74

HTTP/1.1 416 Requested Range Not Satisfiable
Connection: close
Content-Length: 362
Accept-Ranges: bytes
Content-Range: bytes */29
Content-Type: text/html
Date: Thu, 22 Feb 2024 13:53:34 GMT
Etag: "ede337407b65da1:0"
Last-Modified: Thu, 22 Feb 2024 10:38:19 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Requested Range Not Satisfiable</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Requested Range Not Satisfiable</h2>
<hr><p>HTTP Error 416. The requested range is not satisfiable.</p>
</BODY></HTML>
[CVE-2015-1635:word-1] [http] [critical] http://192.168.1.74


-------------------------------------
Windows Server 2012 R2 [PATCHED]
-------------------------------------

[INF] [CVE-2015-1635] Dumped HTTP request for https://192.168.1.74

GET / HTTP/1.1
Host: 192.168.1.74
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Range: bytes=0-18446744073709551615

[DBG] [CVE-2015-1635] Dumped HTTP response https://192.168.1.74

HTTP/1.1 200 OK
Connection: close
Content-Length: 3173
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Thu, 22 Feb 2024 14:00:04 GMT
Server: Microsoft-IIS/8.5
Set-Cookie: ASP.NET_SessionId=kyk003vp3t11ztoh3zsvzhil; path=/; HttpOnly
X-Aspnet-Version: 4.0.30319
X-Powered-By: ASP.NET



<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><title>

</title><link href="/resources/root.css" rel="stylesheet" type="text/css" /></head>
<body>
    <div id="TurnOffPanel" class="main">
	
        <div id="MainContent" class="main-content">
            <div id="MainContentInner">
                <div id="SiteContainer">
                    <div id="LogoContainer">
                        <div id="LogoContainerInner">
                            <div id="ProductLogoContainer">
                                <img id="ProductLogo" class="product-logo" src="resources/logo.png" />
                            </div>
                        </div>
                    </div>
                </div>

                <div id="MessageContainer">
		
                    <div id="SiteInfoContainer">

                        <div id="SiteInfo">
                            <div class="server-name">
                                <span>Windows Server 2012 R2 Essentials</span>
                            </div>
                            <div class="site-name">
                                <span>Remote Web Access</span>
                            </div>
                        </div>
                    </div>
                    <div id="MessageArea">
                        <div class="title-panel">
                            <div class="title-text">
                                <span id="TitleLabel">Remote Web Access is turned off</span>
                            </div>
                        </div>
                        <div id="TextPanel" class="text-panel">
			
                            <span id="InfoLabel">To turn on Remote Web Access, you need to have a client computer with Windows Server Essentials Connector installed, and then start the Dashboard to enable Remote Web Access.</span>

		</div>
                        <div class="text-panel">
                            <a id="HelpLink" href="http://go.microsoft.com/fwlink/?LinkId=298661" target="_blank">How do I turn on Remote Web Access?</a>
                        </div>
                    </div>

	</div>
            </div>
        </div>

</div>
    <div id="footer" class="footer">
        <div id="FooterContent" class="footer-content">
            <div id="BrandingFooter">
                <span>
                    <span id="CopyRightLabel" class="footer-item copyright">&copy; 2013 Microsoft</span>
                </span>
                <span>
                    <a id="PrivacyLink" class="footer-link" href="http://go.microsoft.com/fwlink/p/?LinkID=280262">Privacy</a>
                </span>
                <span>
                    <a id="TermsLink" class="footer-link" href="http://www.microsoft.com">Terms</a>
                </span>

            </div>
        </div>
    </div>
</body>
</html>
[INF] No results found. Better luck next time!

From what I can tell the template it working as expected against patched and unpatched test VMs. I have not tested this yet against Windows 7, 8 or 8.1 however I will test on those systems once I can get a test VM of those spun up.

For this template I did have to match on the words 'HTTP Error 416' rather than the status code 416 as for some reason Windows Server 2012 hosts were not being picked up using the status code. However, Matching on the words seems perfectly fine from what I can tell. Please do reply with any more information you need or to bring up any potential issues.

[ritikchaddha]

Hello, @PhillipoTF2. Thank you very much for sharing the debug info with us. I've added an additional matcher to the template. Please let us know if everything seems good.

[PhillipoTF2]

Seems fine to me. Happy with the changes. Thanks for your help with this template :)