From 2f54cb191f08e76e372fc77cfc364ed2bc4d7e45 Mon Sep 17 00:00:00 2001
From: david <david@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Sat, 8 Aug 2009 19:49:05 +0000
Subject: [PATCH] Add the x11-access.nse script by vladz. See
 http://seclists.org/nmap-dev/2009/q3/0479.html.

---
 CHANGELOG              |  5 +++
 scripts/script.db      |  2 ++
 scripts/x11-access.nse | 77 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 84 insertions(+)
 create mode 100644 scripts/x11-access.nse

diff --git a/CHANGELOG b/CHANGELOG
index 885e7a0a8..244fefd3b 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,4 +1,9 @@
 # Nmap Changelog ($Id$); -*-text-*-
+
+o Added the x11-access.nse script that checks if access to an X11
+  server is allowed (as with "xhost +" for example). The script was
+  written by vladz.
+
 o Added explicit casts to (int)(unsigned char) for arguments to ctype function
   calls in nmap, ncat and nbase.  Thanks to Solar Designer for pointing out
   the need and fix for this. [Josh]
diff --git a/scripts/script.db b/scripts/script.db
index 80471e7b8..c4923237e 100644
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -14,6 +14,7 @@ Entry { filename = "ftp-brute.nse", categories = { "auth", "intrusive", } }
 Entry { filename = "html-title.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "http-auth.nse", categories = { "auth", "default", "intrusive", } }
 Entry { filename = "http-date.nse", categories = { "discovery", "safe", } }
+Entry { filename = "http-enum.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "http-iis-webdav-vuln.nse", categories = { "intrusive", "vuln", } }
 Entry { filename = "http-open-proxy.nse", categories = { "default", "discovery", "external", "intrusive", } }
 Entry { filename = "http-passwd.nse", categories = { "intrusive", "vuln", } }
@@ -59,3 +60,4 @@ Entry { filename = "sslv2.nse", categories = { "default", "safe", } }
 Entry { filename = "telnet-brute.nse", categories = { "auth", "intrusive", } }
 Entry { filename = "upnp-info.nse", categories = { "default", "safe", } }
 Entry { filename = "whois.nse", categories = { "discovery", "external", "safe", } }
+Entry { filename = "x11-access.nse", categories = { "default", "safe", } }
diff --git a/scripts/x11-access.nse b/scripts/x11-access.nse
new file mode 100644
index 000000000..63c59842f
--- /dev/null
+++ b/scripts/x11-access.nse
@@ -0,0 +1,77 @@
+-- NSE x11-access v1.3
+
+description = [[ 
+Checks if you're allowed to connect to the X server
+
+If the X server is listening on TCP port 6000+n (where n is the display
+number), it is possible to check if you're able to get connected to the 
+remote display by sending a X11 initial connection request.
+
+In reply, the success byte (0x00 or 0x01) will determine if you are in 
+the "xhost +" list. In this case, script will display the message: "X 
+server access is granted".
+]]
+
+-- @output
+-- Host script results:
+-- |_ x11-access: X server access is granted
+
+author = "vladz <vladz@devzero.fr>"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"default", "safe"}
+
+portrule = function( host, port )
+        if 
+                port.number >= 6000 and port.number <= 6009
+                and string.match(port.service, "^X11") 
+                -- If port.version.product is not equal to nil, version 
+                -- detection "-sV" has already done this X server test. 
+                and port.version.product == nil 
+        then
+                return true
+        end
+end
+
+action = function(host, port)
+
+	local result, socket, try, catch
+	socket = nmap.new_socket()
+	catch = function() 
+		socket:close() 
+	end
+
+	try = nmap.new_try(catch)
+	try(socket:connect(host.ip, port.number))
+
+	-- Sending the network dump of a x11 connection request (captured
+	-- from the XOpenDisplay() function):
+	-- 
+        --    0x6c 0x00 0x0b 0x00 0x00 0x00 0x00 
+        --    0x00 0x00 0x00 0x00 0x00 0x00
+	try(socket:send("\108\000\011\000\000\000\000\000\000\000\000\000"))
+
+	-- According to the XOpenDisplay() sources, server answer is 
+	-- stored in a xConnSetupPrefix structure [1]. The function 
+	-- returns NULL if it does not succeed, and more precisely: When 
+	-- the success field of this structure (stored on 1 byte) is not 
+	-- equal to xTrue [2]. For more information, see the Xlib 
+        -- programming Manual [3].
+	--
+	-- [1] xConnSetupPrefix structure is defined in X11/Xproto.h.
+	-- [2] xTrue = 0x01 according to X11/Xproto.h.
+        -- [3] http://www.sbin.org/doc/Xlib
+
+	result = try(socket:receive_bytes(1))
+        socket:close()
+
+        -- Check if first byte received is 0x01 (xTrue: succeed).
+        if 
+                string.match(result, "^\001") 
+        then
+                return "X server access is granted"
+        end
+ 
+        return 
+end
+
+