diff --git a/nselib/bitcoin.lua b/nselib/bitcoin.lua index 5ef40ccf8..f7a2491d8 100644 --- a/nselib/bitcoin.lua +++ b/nselib/bitcoin.lua @@ -189,7 +189,7 @@ Request = { end, }, - + -- The pong message is sent in response to a ping message. Pong = { new = function(self) @@ -207,7 +207,7 @@ Request = { return bin.pack(" -- nmap --script clamav-exec --script-args cmd='scan',scandb='files.txt' -- nmap --script clamav-exec --script-args cmd='shutdown' --- +-- -- @output -- PORT STATE SERVICE VERSION -- 3310/tcp open clam ClamAV 0.99.2 (21714) --- | clamav-exec: +-- | clamav-exec: -- | VULNERABLE: -- | ClamAV Remote Command Execution -- | State: VULNERABLE --- | ClamAV 0.99.2, and possibly other previous versions, allow the execution of the --- | clamav commands SCAN and SHUTDOWN without authentication. The command 'SCAN' --- | may be used to enumerate system files and the command 'SHUTDOWN' shut downs the +-- | ClamAV 0.99.2, and possibly other previous versions, allow the execution of the +-- | clamav commands SCAN and SHUTDOWN without authentication. The command 'SCAN' +-- | may be used to enumerate system files and the command 'SHUTDOWN' shut downs the -- | service. This vulnerability was discovered by Alejandro Hernandez (nitr0us). --- | +-- | -- | Disclosure date: 2016-06-8 -- | Extra information: -- | SCAN command is enabled. -- | References: -- | https://bugzilla.clamav.net/show_bug.cgi?id=11585 -- |_ https://twitter.com/nitr0usmx/status/740673507684679680 --- @xmloutput +-- @xmloutput -- -- ClamAV Remote Command Execution -- VULNERABLE --
--- ClamAV 0.99.2, and possibly other previous versions, allow the execution --- of the clamav commands SCAN and SHUTDOWN without authentication. --- The command 'SCAN' may be used to enumerate system files and --- the command 'SHUTDOWN' shut downs the service. +-- ClamAV 0.99.2, and possibly other previous versions, allow the execution +-- of the clamav commands SCAN and SHUTDOWN without authentication. +-- The command 'SCAN' may be used to enumerate system files and +-- the command 'SHUTDOWN' shut downs the service. -- This vulnerability was discovered by Alejandro Hernandez (nitr0us). --
-- @@ -75,7 +75,7 @@ Reference: --
-- -- @args clamav-exec.cmd Command to execute. Option: scan and shutdown --- @args clamav-exec.scandb Database to file list. +-- @args clamav-exec.scandb Database to file list. --- author = "Paulino Calderon " @@ -112,7 +112,7 @@ local function scan(host, port, file) stdnse.debug1("SCAN command enabled.") return true, nil end - else + else status, data = comm.exchange(host, port, "SCAN " .. file) if not status then stdnse.debug1("Failed to send 'SCAN %s' command:%s", file, data) @@ -164,9 +164,9 @@ action = function(host, port) title = 'ClamAV Remote Command Execution', state = vulns.STATE.NOT_VULN, description = [[ -ClamAV 0.99.2, and possibly other previous versions, allow the execution of the -clamav commands SCAN and SHUTDOWN without authentication. The command 'SCAN' -may be used to enumerate system files and the command 'SHUTDOWN' shut downs the +ClamAV 0.99.2, and possibly other previous versions, allow the execution of the +clamav commands SCAN and SHUTDOWN without authentication. The command 'SCAN' +may be used to enumerate system files and the command 'SHUTDOWN' shut downs the service. This vulnerability was discovered by Alejandro Hernandez (nitr0us). ]], references = { @@ -205,10 +205,10 @@ service. This vulnerability was discovered by Alejandro Hernandez (nitr0us). elseif cmd == "shutdown" then status = shutdown(host, port) if status then - vuln.extra_info = "SHUTDOWN command sent succesfully." + vuln.extra_info = "SHUTDOWN command sent succesfully." vuln.state = vulns.STATE.VULN end - else + else status, files = scan(host, port, nil) if status then vuln.extra_info = "SCAN command is enabled." diff --git a/scripts/hnap-info.nse b/scripts/hnap-info.nse index 6f752ec3e..a750ebd5a 100644 --- a/scripts/hnap-info.nse +++ b/scripts/hnap-info.nse @@ -7,7 +7,7 @@ local nmap = require "nmap" description = [[ Retrieve hardwares details and configuration information utilizing HNAP, the "Home Network Administration Protocol". -It is an HTTP-Simple Object Access Protocol (SOAP)-based protocol which allows for remote topology discovery, +It is an HTTP-Simple Object Access Protocol (SOAP)-based protocol which allows for remote topology discovery, configuration, and management of devices (routers, cameras, PCs, NAS, etc.)]] --- @@ -17,7 +17,7 @@ configuration, and management of devices (routers, cameras, PCs, NAS, etc.)]] -- @output -- PORT STATE SERVICE REASON -- 8080/tcp open http-proxy syn-ack --- | hnap-info: +-- | hnap-info: -- | Type: GatewayWithWiFi -- | Device: Ingraham -- | Vendor: Linksys @@ -25,7 +25,7 @@ configuration, and management of devices (routers, cameras, PCs, NAS, etc.)]] -- | Model: E1200 -- | Firmware: 1.0.00 build 11 -- | Presentation URL: http://192.168.1.1/ --- | SOAPACTIONS: +-- | SOAPACTIONS: -- | http://purenetworks.com/HNAP1/IsDeviceReady -- | http://purenetworks.com/HNAP1/GetDeviceSettings -- | http://purenetworks.com/HNAP1/SetDeviceSettings @@ -104,10 +104,10 @@ function action (host, port) closeElement = function(name) parser._call.text = function() return nil end end } parser:parseSAX(response.body, {stripWhitespace=true}) - + -- exit if the parser does not return output if not next(output) then return nil end - + -- set the port verson port.version.name = "hnap" port.version.name_confidence = 10 diff --git a/scripts/http-aspnet-debug.nse b/scripts/http-aspnet-debug.nse index e836670f0..e45b296b5 100644 --- a/scripts/http-aspnet-debug.nse +++ b/scripts/http-aspnet-debug.nse @@ -1,60 +1,60 @@ -local http = require "http" -local shortport = require "shortport" -local stdnse = require "stdnse" - -description = [[ -Determines if a ASP.NET application has debugging enabled using a HTTP DEBUG request. - -The HTTP DEBUG verb is used within ASP.NET applications to start/stop remote -debugging sessions. The script sends a 'stop-debug' command to determine the -application's current configuration state but access to RPC services is required - to interact with the debugging session. The request does not change the -application debugging configuration. -]] - ---- --- @usage nmap --script http-debug --- @usage nmap --script http-debug --script-args http-aspnet-debug.path=/path --- --- @args http-debug.path Path to URI. Default: / --- --- @output --- 80/tcp open http syn-ack --- | http-aspnet-debug: --- |_ status: DEBUG is enabled --- --- @xmloutput --- DEBUG is enabled ---- - -author = "Josh Amishav-Zlatin" -license = "Same as Nmap--See https://nmap.org/book/man-legal.html" -categories = { "vuln", "discovery" } - -portrule = shortport.http - -local function generate_http_debug_req(host, port, path) - local status = false - local options = {header={}} - options["header"]["Command"] = "stop-debug" - options["redirect_ok"] = 2 - - -- send DEBUG request with stop-debug command - local req = http.generic_request(host, port, "DEBUG", path, options) - - stdnse.debug1("Response body: %s", req.body ) - if req.body:match("OK") then - status = true - end - return status -end - -action = function(host, port) - local output = stdnse.output_table() - local path = stdnse.get_script_args(SCRIPT_NAME .. ".path") or "/" - local status = generate_http_debug_req(host, port, path) - if status then - output.status = "DEBUG is enabled" - return output - end -end +local http = require "http" +local shortport = require "shortport" +local stdnse = require "stdnse" + +description = [[ +Determines if a ASP.NET application has debugging enabled using a HTTP DEBUG request. + +The HTTP DEBUG verb is used within ASP.NET applications to start/stop remote +debugging sessions. The script sends a 'stop-debug' command to determine the +application's current configuration state but access to RPC services is required + to interact with the debugging session. The request does not change the +application debugging configuration. +]] + +--- +-- @usage nmap --script http-debug +-- @usage nmap --script http-debug --script-args http-aspnet-debug.path=/path +-- +-- @args http-debug.path Path to URI. Default: / +-- +-- @output +-- 80/tcp open http syn-ack +-- | http-aspnet-debug: +-- |_ status: DEBUG is enabled +-- +-- @xmloutput +-- DEBUG is enabled +--- + +author = "Josh Amishav-Zlatin" +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = { "vuln", "discovery" } + +portrule = shortport.http + +local function generate_http_debug_req(host, port, path) + local status = false + local options = {header={}} + options["header"]["Command"] = "stop-debug" + options["redirect_ok"] = 2 + + -- send DEBUG request with stop-debug command + local req = http.generic_request(host, port, "DEBUG", path, options) + + stdnse.debug1("Response body: %s", req.body ) + if req.body:match("OK") then + status = true + end + return status +end + +action = function(host, port) + local output = stdnse.output_table() + local path = stdnse.get_script_args(SCRIPT_NAME .. ".path") or "/" + local status = generate_http_debug_req(host, port, path) + if status then + output.status = "DEBUG is enabled" + return output + end +end diff --git a/scripts/http-backup-finder.nse b/scripts/http-backup-finder.nse index 5d4c1bcbb..6d798a11b 100644 --- a/scripts/http-backup-finder.nse +++ b/scripts/http-backup-finder.nse @@ -96,7 +96,7 @@ action = function(host, port) -- Check if we can use HEAD requests local use_head = http.can_use_head(host, port, result_404) - + local backups = {} while(true) do local status, r = crawler:crawl() @@ -141,7 +141,7 @@ action = function(host, port) else response = http.get(host, port, escaped_link, {redirect_ok=false}) end - + if http.page_exists(response, result_404, known_404, escaped_link, false) then if ( not(parsed.port) ) then table.insert(backups, diff --git a/scripts/http-brute.nse b/scripts/http-brute.nse index e95bfdd91..01397db3f 100644 --- a/scripts/http-brute.nse +++ b/scripts/http-brute.nse @@ -22,8 +22,8 @@ the creds library, for other scripts to use. -- @output -- PORT STATE SERVICE REASON -- 80/tcp open http syn-ack --- | http-brute: --- | Accounts: +-- | http-brute: +-- | Accounts: -- | user:user - Valid credentials -- |_ Statistics: Performed 123 guesses in 1 seconds, average tps: 123 -- diff --git a/scripts/http-cross-domain-policy.nse b/scripts/http-cross-domain-policy.nse index 2478c1d86..e86acedc3 100644 --- a/scripts/http-cross-domain-policy.nse +++ b/scripts/http-cross-domain-policy.nse @@ -32,7 +32,7 @@ References: -- @output -- PORT STATE SERVICE REASON -- 8080/tcp open http-proxy syn-ack --- | http-crossdomainxml-slaxml: +-- | http-crossdomainxml-slaxml: -- | VULNERABLE: -- | Cross-domain policy file (crossdomain.xml) -- | State: VULNERABLE diff --git a/scripts/http-form-fuzzer.nse b/scripts/http-form-fuzzer.nse index 010763421..ad8736ea9 100644 --- a/scripts/http-form-fuzzer.nse +++ b/scripts/http-form-fuzzer.nse @@ -130,7 +130,7 @@ local function fuzz_form(form, minlen, maxlen, host, port, path) else sending_function = function(data) return http.get(host, port, form_submission_path.."?"..url.build_query(data), {no_cache=true, bypass_cache=true}) end end - + local function fuzz_field(field) local affected_string = {} local affected_int = {} @@ -138,14 +138,14 @@ local function fuzz_form(form, minlen, maxlen, host, port, path) for i=minlen,maxlen do -- maybe a better idea would be to increment the string's length by more then 1 in each step local response_string local response_number - + --first try to fuzz with a string postdata[field["name"]] = stdnse.generate_random_string(i, charset) response_string = sending_function(postdata) --then with a number postdata[field["name"]] = stdnse.generate_random_string(i, charset_number) response_number = sending_function(postdata) - + if check_response(response_string) then affected_string[#affected_string+1]=i elseif request_too_big(response_string) then diff --git a/scripts/http-grep.nse b/scripts/http-grep.nse index 5bfdb525a..86324d723 100644 --- a/scripts/http-grep.nse +++ b/scripts/http-grep.nse @@ -22,15 +22,15 @@ The script searches for email and ip by default. -- @output -- PORT STATE SERVICE REASON -- 80/tcp open http syn-ack --- | http-grep: --- | (1) http://nmap.org/book/man-bugs.html: --- | (1) email: +-- | http-grep: +-- | (1) http://nmap.org/book/man-bugs.html: +-- | (1) email: -- | + dev@nmap.org --- | (1) http://nmap.org/book/install.html: --- | (1) email: +-- | (1) http://nmap.org/book/install.html: +-- | (1) email: -- | + fyodor@nmap.org --- | (16) http://nmap.org/changelog.html: --- | (7) ip: +-- | (16) http://nmap.org/changelog.html: +-- | (7) ip: -- | + 255.255.255.255 -- | + 10.99.24.140 -- | + 74.125.53.103 @@ -38,7 +38,7 @@ The script searches for email and ip by default. -- | + 203.65.42.255 -- | + 192.31.33.7 -- | + 168.0.40.135 --- | (9) email: +-- | (9) email: -- | + d1n@inbox.com -- | + fyodor@insecure.org -- | + uce@ftc.gov @@ -48,8 +48,8 @@ The script searches for email and ip by default. -- | + president@whitehouse.gov -- | + haesslich@loyalty.org -- | + rchong@fcc.gov --- | (6) http://nmap.org/5/#5changes: --- | (6) ip: +-- | (6) http://nmap.org/5/#5changes: +-- | (6) ip: -- | + 207.68.200.30 -- | + 64.13.134.52 -- | + 4.68.105.6 diff --git a/scripts/http-internal-ip-disclosure.nse b/scripts/http-internal-ip-disclosure.nse index 816ccdd65..f8c8392f8 100644 --- a/scripts/http-internal-ip-disclosure.nse +++ b/scripts/http-internal-ip-disclosure.nse @@ -20,7 +20,7 @@ versions of Microsoft IIS, but affects other web servers as well. -- -- @output -- 80/tcp open http syn-ack --- | http-internal-ip-disclosure: +-- | http-internal-ip-disclosure: -- |_ Internal IP Leaked: 10.0.0.2 -- -- @xmloutput @@ -29,7 +29,7 @@ versions of Microsoft IIS, but affects other web servers as well. author = "Josh Amishav-Zlatin" license = "Same as Nmap--See https://nmap.org/book/man-legal.html" -categories = { "vuln", "discovery", "safe" } +categories = { "vuln", "discovery", "safe" } portrule = shortport.http @@ -81,7 +81,7 @@ action = function(host, port) end if IP then - output["Internal IP Leaked"] = IP + output["Internal IP Leaked"] = IP return output end end diff --git a/scripts/http-webdav-scan.nse b/scripts/http-webdav-scan.nse index fca1b10b6..47e3a0a02 100644 --- a/scripts/http-webdav-scan.nse +++ b/scripts/http-webdav-scan.nse @@ -27,12 +27,12 @@ This script takes inspiration from the various scripts listed here: -- @output -- PORT STATE SERVICE -- 8008/tcp open http --- | http-webdav-scan: +-- | http-webdav-scan: -- | Allowed Methods: GET, HEAD, COPY, MOVE, POST, PUT, PROPFIND, PROPPATCH, OPTIONS, MKCOL, DELETE, TRACE, REPORT -- | Server Type: DAV/0.9.8 Python/2.7.6 -- | Server Date: Fri, 22 May 2015 19:28:00 GMT -- | WebDAV type: unkown --- | Directory Listing: +-- | Directory Listing: -- | http://localhosft -- | http://localhost:8008/WebDAVTest_b1tqTWeyRR -- | http://localhost:8008/WebDAVTest_A0QWJb7hcK diff --git a/scripts/http-wordpress-enum.nse b/scripts/http-wordpress-enum.nse index ebb68dc72..9aa446a33 100644 --- a/scripts/http-wordpress-enum.nse +++ b/scripts/http-wordpress-enum.nse @@ -188,7 +188,7 @@ action = function(host, port) stdnse.debug1("Exiting due to ambiguous response from web server on %s:%s. All URIs return status 200.", host.ip, port.number) return nil end - + -- search the website root for evidences of a Wordpress path if not wp_root then local target_index = http.get(host,port, "/") diff --git a/scripts/ip-geolocation-maxmind.nse b/scripts/ip-geolocation-maxmind.nse index 0eb243607..acac5ef0c 100644 --- a/scripts/ip-geolocation-maxmind.nse +++ b/scripts/ip-geolocation-maxmind.nse @@ -597,7 +597,7 @@ action = function(host,port) if f_maxmind then gi = assert( GeoIP:new(f_maxmind), "Wrong file specified for a Maxmind database") else - gi = assert( GeoIP:new(nmap.fetchfile("nselib/data/GeoLiteCity.dat")), + gi = assert( GeoIP:new(nmap.fetchfile("nselib/data/GeoLiteCity.dat")), "Cannot read GeoLiteCity.dat in 'nselib/data/'. Download the database from http://dev.maxmind.com/geoip/legacy/geolite/.") end local out = gi:output_record_by_addr(host.ip) diff --git a/scripts/smb-vuln-conficker.nse b/scripts/smb-vuln-conficker.nse index 95bc0ce57..75987f4e7 100644 --- a/scripts/smb-vuln-conficker.nse +++ b/scripts/smb-vuln-conficker.nse @@ -7,7 +7,7 @@ local table = require "table" local vulns = require "vulns" description = [[ -Detects Microsoft Windows systems infected by the Conficker worm. This check is dangerous and +Detects Microsoft Windows systems infected by the Conficker worm. This check is dangerous and it may crash systems. Based loosely on the Simple Conficker Scanner, found here: @@ -21,7 +21,7 @@ This check was previously part of smb-check-vulns. -- nmap -sU --script smb-vuln-conficker.nse -p T:139 -- --@output ---| smb-vuln-conficker: +--| smb-vuln-conficker: --| VULNERABLE: --| Microsoft Windows system infected by Conficker --| State: VULNERABLE diff --git a/scripts/smb-vuln-cve2009-3103.nse b/scripts/smb-vuln-cve2009-3103.nse index 801fa8451..e09b5effd 100644 --- a/scripts/smb-vuln-cve2009-3103.nse +++ b/scripts/smb-vuln-cve2009-3103.nse @@ -11,8 +11,8 @@ Detects Microsoft Windows systems vulnerable to denial of service (CVE-2009-3103 This script will crash the service if it is vulnerable. The script performs a denial-of-service against the vulnerability disclosed in -CVE-2009-3103. This works against Windows Vista and some versions of Windows 7, -and causes a bluescreen if successful. The proof-of-concept code at +CVE-2009-3103. This works against Windows Vista and some versions of Windows 7, +and causes a bluescreen if successful. The proof-of-concept code at http://seclists.org/fulldisclosure/2009/Sep/39 was used, with one small change. This check was previously part of smb-check-vulns. @@ -25,17 +25,17 @@ This check was previously part of smb-check-vulns. -- --@output --Host script results: ---| smb-vuln-cve2009-3103: +--| smb-vuln-cve2009-3103: --| VULNERABLE: --| SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497) --| State: VULNERABLE --| IDs: CVE:CVE-2009-3103 ---| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, ---| Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a ---| denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE ---| PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, +--| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, +--| Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a +--| denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE +--| PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, --| aka "SMBv2 Negotiation Vulnerability." NOTE: some of these details are obtained from third party information. ---| +--| --| Disclosure date: 2009-09-08 --| References: --| http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103 @@ -147,11 +147,11 @@ action = function(host) title = 'SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)', state = vulns.STATE.NOT_VULN, description = [[ - Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, - Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a - denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE - PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, - aka "SMBv2 Negotiation Vulnerability." + Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2, + Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a + denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE + PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location, + aka "SMBv2 Negotiation Vulnerability." ]], IDS = {CVE = 'CVE-2009-3103'}, references = { diff --git a/scripts/smb-vuln-ms06-025.nse b/scripts/smb-vuln-ms06-025.nse index eaf4cebf1..791baf0a6 100644 --- a/scripts/smb-vuln-ms06-025.nse +++ b/scripts/smb-vuln-ms06-025.nse @@ -29,15 +29,15 @@ This script was previously part of smb-check-vulns. -- nmap -sU --script smb-vuln-ms06-025.nse -p U:137,T:139 -- --@output ---| smb-vuln-ms06-025: +--| smb-vuln-ms06-025: --| VULNERABLE: --| RRAS Memory Corruption vulnerability (MS06-025) --| State: VULNERABLE --| IDs: CVE:CVE-2006-2370 ---| A buffer overflow vulnerability in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 ---| and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to +--| A buffer overflow vulnerability in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 +--| and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to --| execute arbitrary code via certain crafted "RPC related requests" aka the "RRAS Memory Corruption Vulnerability." ---| +--| --| Disclosure date: 2006-6-27 --| References: --| https://technet.microsoft.com/en-us/library/security/ms06-025.aspx @@ -129,8 +129,8 @@ action = function(host) title = 'RRAS Memory Corruption vulnerability (MS06-025)', state = vulns.STATE.NOT_VULN, description = [[ - A buffer overflow vulnerability in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 - and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to + A buffer overflow vulnerability in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 + and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to execute arbitrary code via certain crafted "RPC related requests" aka the "RRAS Memory Corruption Vulnerability." ]], IDS = {CVE = 'CVE-2006-2370'}, diff --git a/scripts/smb-vuln-ms07-029.nse b/scripts/smb-vuln-ms07-029.nse index fe2b7e8bd..2fee8a5a9 100644 --- a/scripts/smb-vuln-ms07-029.nse +++ b/scripts/smb-vuln-ms07-029.nse @@ -9,11 +9,11 @@ local vulns = require "vulns" description = [[ Detects Microsoft Windows systems with Dns Server RPC vulnerable to MS07-029. -MS07-029 targets the R_DnssrvQuery() and R_DnssrvQuery2() -RPC method which isa part of DNS Server RPC interface that serves as a RPC service -for configuring and getting information from the DNS Server service. -DNS Server RPC service can be accessed using "\dnsserver" SMB named pipe. -The vulnerability is triggered when a long string is send as the "zone" parameter +MS07-029 targets the R_DnssrvQuery() and R_DnssrvQuery2() +RPC method which isa part of DNS Server RPC interface that serves as a RPC service +for configuring and getting information from the DNS Server service. +DNS Server RPC service can be accessed using "\dnsserver" SMB named pipe. +The vulnerability is triggered when a long string is send as the "zone" parameter which causes the buffer overflow which crashes the service. This check was previously part of smb-check-vulns. @@ -25,15 +25,15 @@ This check was previously part of smb-check-vulns. -- --@output --Host script results: ---| smb-vuln-ms07-029: +--| smb-vuln-ms07-029: --| VULNERABLE: --| Windows DNS RPC Interface Could Allow Remote Code Execution (MS07-029) --| State: VULNERABLE --| IDs: CVE:CVE-2007-1748 ---| A stack-based buffer overflow in the RPC interface in the Domain Name System (DNS) Server Service in ---| Microsoft Windows 2000 Server SP 4, Server 2003 SP 1, and Server 2003 SP 2 allows remote attackers to +--| A stack-based buffer overflow in the RPC interface in the Domain Name System (DNS) Server Service in +--| Microsoft Windows 2000 Server SP 4, Server 2003 SP 1, and Server 2003 SP 2 allows remote attackers to --| execute arbitrary code via a long zone name containing character constants represented by escape sequences. ---| +--| --| Disclosure date: 2007-06-06 --| References: --| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1748 @@ -119,8 +119,8 @@ action = function(host) title = 'Windows DNS RPC Interface Could Allow Remote Code Execution (MS07-029)', state = vulns.STATE.NOT_VULN, description = [[ - A stack-based buffer overflow in the RPC interface in the Domain Name System (DNS) Server Service in - Microsoft Windows 2000 Server SP 4, Server 2003 SP 1, and Server 2003 SP 2 allows remote attackers to + A stack-based buffer overflow in the RPC interface in the Domain Name System (DNS) Server Service in + Microsoft Windows 2000 Server SP 4, Server 2003 SP 1, and Server 2003 SP 2 allows remote attackers to execute arbitrary code via a long zone name containing character constants represented by escape sequences. ]], IDS = {CVE = 'CVE-2007-1748'}, diff --git a/scripts/smb-vuln-ms08-067.nse b/scripts/smb-vuln-ms08-067.nse index 05a263448..95532264f 100644 --- a/scripts/smb-vuln-ms08-067.nse +++ b/scripts/smb-vuln-ms08-067.nse @@ -7,12 +7,12 @@ local table = require "table" local vulns = require "vulns" description = [[ -Detects Microsoft Windows systems vulnerable to the remote code execution vulnerability +Detects Microsoft Windows systems vulnerable to the remote code execution vulnerability known as MS08-067. This check is dangerous and it may crash systems. On a fairly wide scan conducted by Brandon Enright, we determined that on average, a vulnerable system is more likely to crash than to survive -the check. Out of 82 vulnerable systems, 52 crashed. +the check. Out of 82 vulnerable systems, 52 crashed. Please consider this before running the script. This check was previously part of smb-check-vulns.nse. @@ -23,15 +23,15 @@ This check was previously part of smb-check-vulns.nse. -- nmap -sU --script smb-vuln-ms08-067.nse -p U:137 -- --@output ---| smb-vuln-ms08-067: +--| smb-vuln-ms08-067: --| VULNERABLE: --| Microsoft Windows system vulnerable to remote code execution (MS08-067) --| State: VULNERABLE --| IDs: CVE:CVE-2008-4250 ---| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, ---| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary +--| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, +--| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary --| code via a crafted RPC request that triggers the overflow during path canonicalization. ---| +--| --| Disclosure date: 2008-10-23 --| References: --| https://technet.microsoft.com/en-us/library/security/ms08-067.aspx @@ -75,7 +75,7 @@ local INFECTED = 5 --@param host The host object. --@return (status, result) If status is false, result is an error code; otherwise, result is either -- VULNERABLE for vulnerable, PATCHED for not vulnerable, --- UNKNOWN if there was an error (likely vulnerable), +-- UNKNOWN if there was an error (likely vulnerable), -- and INFECTED if it was patched by Conficker. function check_ms08_067(host) local status, smbstate @@ -125,8 +125,8 @@ action = function(host) title = 'Microsoft Windows system vulnerable to remote code execution (MS08-067)', state = vulns.STATE.NOT_VULN, description = [[ - The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, - Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary + The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, + Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow during path canonicalization. ]], IDS = {CVE = 'CVE-2008-4250'}, diff --git a/scripts/smb-vuln-regsvc-dos.nse b/scripts/smb-vuln-regsvc-dos.nse index e95eb3fba..6a154f56b 100644 --- a/scripts/smb-vuln-regsvc-dos.nse +++ b/scripts/smb-vuln-regsvc-dos.nse @@ -7,11 +7,11 @@ local table = require "table" local vulns = require "vulns" description = [[ -Checks if a Microsoft Windows 2000 system is vulnerable to a crash in regsvc caused by a null pointer -dereference. This check will crash the service if it is vulnerable and requires a guest account or +Checks if a Microsoft Windows 2000 system is vulnerable to a crash in regsvc caused by a null pointer +dereference. This check will crash the service if it is vulnerable and requires a guest account or higher to work. -The vulnerability was discovered by Ron Bowes while working on smb-enum-sessions and +The vulnerability was discovered by Ron Bowes while working on smb-enum-sessions and was reported to Microsoft (Case #MSRC8742). This check was previously part of smb-check-vulns. @@ -22,14 +22,14 @@ This check was previously part of smb-check-vulns. -- nmap -sU --script smb-vuln-regsvc-dos.nse -p U:137,T:139 -- --@output ---| smb-vuln-regsvc-dos: +--| smb-vuln-regsvc-dos: --| VULNERABLE: --| Service regsvc in Microsoft Windows systems vulnerable to denial of service --| State: VULNERABLE ---| The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference ---| pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes +--| The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference +--| pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes --| while working on smb-enum-sessions. ---|_ +--|_ --- author = {"Ron Bowes", "Jiayi Ye", "Paulino Calderon "} @@ -62,7 +62,7 @@ local PATCHED = 2 -- --@param host The host object. --@return (status, result) If status is false, result is an error code; otherwise, result is either --- VULNERABLE for vulnerable or PATCHED for not vulnerable. +-- VULNERABLE for vulnerable or PATCHED for not vulnerable. function check_winreg_Enum_crash(host) local i, j local elements = {} @@ -107,8 +107,8 @@ action = function(host) title = 'Service regsvc in Microsoft Windows systems vulnerable to denial of service', state = vulns.STATE.NOT_VULN, description = [[ -The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference -pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes +The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference +pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes while working on smb-enum-sessions. ]] }