-
Notifications
You must be signed in to change notification settings - Fork 29
auxiliary enum check_padding_patch
willis
This is a port of the handful of Oracle Padding Vuln scripts that check if the MS10-070 patch has been applied using ScriptResource or WebResource as an indicator.
This is not original work. Creds to Rizzo and Duong original research on the topic, Brian Holyfield's padbuster, and Bernardo Damele for the python port.
https://www.gdssecurity.com/l/t/d.php?k=PadBuster
http://twitter.com/julianor/status/26419702099
http://bernardodamele.blogspot.com/2011/04/ms10-070-padding-oracle-applied-to-net.html
D *** true The required d parameter from either WebResource or ScriptResource
When setting the D
option, utilize the value following /ScriptResource.axd?d=
below:
/ScriptResource.axd?d=2nYOzoKtRvjs-g53K3r7VKmEXeQl_XMNY8nDEwcgwGVcS5Z8b9GanbNdzIgg493kfB_oInMb2DtFFEy5e-ajqdwMbg1F96l10
The target website has a ScriptResource.axd resource available and we'd like to test whether or not it is vulnerable to the Oracle Padding Attack. We've identified the following:
http://www.example.com/ScriptResource.axd?d=2nYOzoKtRvjs-g53K3r7VKmEXeQl_XMNY8nDEwcgwGVcS5Z8b9GanbNdzIgg493kfB_oInMb2DtFFEy5e-ajqdwMbg1F96l10
So we'd do the following:
set D 2nYOzoKtRvjs-g53K3r7VKmEXeQl_XMNY8nDEwcgwGVcS5Z8b9GanbNdzIgg493kfB_oInMb2DtFFEy5e-ajqdwMbg1F96l10
run