PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-18 13:39:02 +00:00
Code Issues Projects Releases Wiki Activity

Added smb-vuln-ms10-061 script from my dev branch

Browse Source
This commit is contained in:
aca
2012-07-30 09:48:03 +00:00
parent 68b2efd3db
commit 4c4ce195df
3 changed files with 173 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
CHANGELOG
View File

@@ -1,7 +1,9 @@
# Nmap Changelog ($Id$); -*-text-*- # Nmap Changelog ($Id$); -*-text-*-
o [NSE] Added spoolss functions and constrants to msrpc.lua o [NSE] Added smb-vuln-ms10-61 script which checks the target system for MS10-061
[Aleksandar Nikolic] vulenrability in spoolss service in a safe way. [Aleksandar Nikolic]
o [NSE] Added spoolss functions and constrants to msrpc.lua. [Aleksandar Nikolic]
o [NSE] Reduced the number of names tried by http-vhosts by default. o [NSE] Reduced the number of names tried by http-vhosts by default.
[Vlatko Kosturjak] [Vlatko Kosturjak]

1
scripts/script.db
View File

@@ -345,6 +345,7 @@ Entry { filename = "smb-security-mode.nse", categories = { "default", "discovery
Entry { filename = "smb-server-stats.nse", categories = { "discovery", "intrusive", } } Entry { filename = "smb-server-stats.nse", categories = { "discovery", "intrusive", } }
Entry { filename = "smb-system-info.nse", categories = { "discovery", "intrusive", } } Entry { filename = "smb-system-info.nse", categories = { "discovery", "intrusive", } }
Entry { filename = "smb-vuln-ms10-054.nse", categories = { "dos", "intrusive", "vuln", } } Entry { filename = "smb-vuln-ms10-054.nse", categories = { "dos", "intrusive", "vuln", } }
Entry { filename = "smb-vuln-ms10-061.nse", categories = { "intrusive", "vuln", } }
Entry { filename = "smbv2-enabled.nse", categories = { "default", "safe", } } Entry { filename = "smbv2-enabled.nse", categories = { "default", "safe", } }
Entry { filename = "smtp-brute.nse", categories = { "brute", "intrusive", } } Entry { filename = "smtp-brute.nse", categories = { "brute", "intrusive", } }
Entry { filename = "smtp-commands.nse", categories = { "default", "discovery", "safe", } } Entry { filename = "smtp-commands.nse", categories = { "default", "discovery", "safe", } }

168
scripts/smb-vuln-ms10-061.nse Normal file
View File

@@ -0,0 +1,168 @@
local bin = require "bin"
local msrpc = require "msrpc"
local smb = require "smb"
local string = require "string"
local vulns = require "vulns"
local stdnse = require "stdnse"
description = [[
Checks if target machines are vulnerable to ms10-061 Printer Spooler impersonation vulnerability.
This vulnerability was used in Stuxnet worm.
The script checks for the vuln in a safe way without a possibility of crashing the remote system
as this is not a memory corruption vulnerability.
In order for the check to work it needs access to at least one shared printer on the remote system.
By default it tries to enumerate printers by using LANMAN API which on some systems is not
available by default. In that case user should specify printer share name as printer script argument.
To find a printer share, smb-enum-shares can be used.
Also, on some systems, accessing shares requires valid credentials which can be specified with
smb library arguments smbuser and smbpassword.
References:
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2729
- http://technet.microsoft.com/en-us/security/bulletin/MS10-061
- http://blogs.technet.com/b/srd/archive/2010/09/14/ms10-061-printer-spooler-vulnerability.aspx
]]
---
-- @usage nmap -p 445 <target> --script=smb-vuln-ms10-061
--
-- @args printer Printer share name. Optional, by default script tries to enumerate available printer shares.
--
-- @output
-- PORT STATE SERVICE REASON
-- 445/tcp open microsoft-ds syn-ack
-- Host script results:
-- | smb-vuln-ms10-061:
-- | VULNERABLE:
-- | Print Spooler Service Impersonation Vulnerability
-- | State: VULNERABLE
-- | IDs: CVE:CVE-2010-2729
-- | Risk factor: HIGH CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
-- | Description:
-- | The Print Spooler service in Microsoft Windows XP,Server 2003 SP2,Vista,Server 2008, and 7, when printer sharing is enabled,
-- | does not properly validate spooler access permissions, which allows remote attackers to create files in a system directory,
-- | and consequently execute arbitrary code, by sending a crafted print request over RPC, as exploited in the wild in September 2010,
-- | aka "Print Spooler Service Impersonation Vulnerability."
-- |
-- | Disclosure date: 2010-09-5
-- | References:
-- | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2729
-- | http://technet.microsoft.com/en-us/security/bulletin/MS10-061
-- |_ http://blogs.technet.com/b/srd/archive/2010/09/14/ms10-061-printer-spooler-vulnerability.aspx
author = "Aleksandar Nikolic"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"vuln","intrusive"}
hostrule = function(host)
return smb.get_port(host) ~= nil
end
action = function(host,port)
local ms10_061 = {
title = "Print Spooler Service Impersonation Vulnerability",
IDS = {CVE = 'CVE-2010-2729'},
risk_factor = "HIGH",
scores = {
CVSSv2 = "9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)",
},
description = [[
The Print Spooler service in Microsoft Windows XP,Server 2003 SP2,Vista,Server 2008, and 7, when printer sharing is enabled,
does not properly validate spooler access permissions, which allows remote attackers to create files in a system directory,
and consequently execute arbitrary code, by sending a crafted print request over RPC, as exploited in the wild in September 2010,
aka "Print Spooler Service Impersonation Vulnerability."
]],
references = {
'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2729',
'http://technet.microsoft.com/en-us/security/bulletin/MS10-061',
'http://blogs.technet.com/b/srd/archive/2010/09/14/ms10-061-printer-spooler-vulnerability.aspx'
},
dates = {
disclosure = {year = '2010', month = '09', day = '5'},
},
exploit_results = {},
}
local report = vulns.Report:new(SCRIPT_NAME, host, port)
ms10_061.state = vulns.STATE.NOT_VULN
local status, smbstate
status, smbstate = msrpc.start_smb(host, msrpc.SPOOLSS_PATH,true)
if(status == false) then
stdnse.print_debug("SMB: " .. smbstate)
return false, smbstate
end
local bind_result
status, bind_result = msrpc.bind(smbstate,msrpc.SPOOLSS_UUID, msrpc.SPOOLSS_VERSION, nil)
if(status == false) then
msrpc.stop_smb(smbstate)
stdnse.print_debug("SMB: " .. bind_result)
return false, bind_result
end
local printer = stdnse.get_script_args(SCRIPT_NAME .. '.printer')
-- if printer not set find available printers
if not printer then
stdnse.print_debug("No printer specified, trying to find one...")
local lanman_result
local REMSmb_NetShareEnum_P = "WrLeh"
local REMSmb_share_info_1 = "B13BWz"
status, lanman_result = msrpc.call_lanmanapi(smbstate,0,REMSmb_NetShareEnum_P,REMSmb_share_info_1,bin.pack("ss",0x01,65406))
if status == false then
stdnse.print_debug("SMB: " .. lanman_result)
stdnse.print_debug("SMB: Looks like LANMAN API is not available. Try setting printer script arg.")
end
local parameters = lanman_result.parameters
local data = lanman_result.data
local pos, status, convert, entry_count, available_entries = bin.unpack("<SSSS", parameters)
pos = 0
local share_type
for i = 1, entry_count, 1 do
_,share_type = bin.unpack(">s",data,pos+14)
pos, name = bin.unpack("<z", data, pos)
-- pos needs to be rounded to the next even multiple of 20
pos = pos + ( 20 - (#name % 20) ) - 1
if share_type == 1 then -- share is printer
stdnse.print_debug("Found printer share %s.", name)
printer = name
end
end
end
if not printer then
stdnse.print_debug("No printer found, system may be unpached but it needs at least one printer shared to be vulnerable.")
return false
end
stdnse.print_debug("Using %s as printer.",printer)
-- call RpcOpenPrinterEx - opnum 69
local status, result = msrpc.spoolss_open_printer(smbstate,"\\\\"..host.ip.."\\"..printer)
if not status then
return false
end
local printer_handle = string.sub(result.data,25,#result.data-4)
stdnse.print_debug("Printer handle %s",stdnse.tohex(printer_handle))
-- call RpcStartDocPrinter - opnum 17
status,result = msrpc.spoolss_start_doc_printer(smbstate,printer_handle,",") -- patched version will allow this
if not status then
return false
end
local print_job_id = string.sub(result.data,25,#result.data-4)
stdnse.print_debug("Start doc printer job id %s",stdnse.tohex(print_job_id))
-- call RpcWritePrinter - 19
status, result = msrpc.spoolss_write_printer(smbstate,printer_handle,"aaaa")
if not status then
return false
end
local write_result = string.sub(result.data,25,#result.data-4)
stdnse.print_debug("Written %s bytes to a file.",stdnse.tohex(write_result))
if stdnse.tohex(write_result) == "00000000" then -- patched version would report 4 bytes written
ms10_061.state = vulns.STATE.VULN -- identified by diffing patched an unpatched version
end
-- call abort_printer to stop the actuall printing in case the remote system is not vulnerable
-- we care about the environment and don't want to spend more paper then needed :)
status,result = msrpc.spoolss_abort_printer(smbstate,printer_handle)
return report:make_output(ms10_061)
end