PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 04:31:29 +00:00
Code Issues Projects Releases Wiki Activity

Remove trailing whitespace

Browse Source
This commit is contained in:
dmiller
2016-08-29 20:30:26 +00:00
parent 59d9e31ab2
commit 92f52de958
23 changed files with 176 additions and 176 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
nselib/bitcoin.lua
View File

@@ -189,7 +189,7 @@ Request = {
end,
},
-- The pong message is sent in response to a ping message.
Pong = {
new = function(self)
@@ -207,7 +207,7 @@ Request = {
return bin.pack("<IAII", magic, cmd, len, chksum)
end,
}
}

2
nselib/http.lua
View File

@@ -1299,7 +1299,7 @@ function generic_request(host, port, method, path, options)
local auth_blob = "NTLMSSP\x00" .. -- NTLM signature
"\x01\x00\x00\x00" .. -- NTLM Type 1 message
bin.pack("<I", 0xa208b207) .. -- flags 56, 128, Version, Extended Security, Always Sign, Workstation supplied, Domain Supplied, NTLM Key, OEM, Unicode
bin.pack("<I", 0xa208b207) .. -- flags 56, 128, Version, Extended Security, Always Sign, Workstation supplied, Domain Supplied, NTLM Key, OEM, Unicode
bin.pack("<SSISSI",#workstation_name, #workstation_name, 40 + #hostname, #hostname, #hostname, 40) .. -- Supplied Domain and Workstation
bin.pack("CC<S", -- OS version info
5, 1, 2600) .. -- 5.1.2600

2
nselib/ldap.lua
View File

@@ -366,7 +366,7 @@ function udpSearchRequest( host, port, params )
local encoder = asn1.ASN1Encoder:new()
local decoder = asn1.ASN1Decoder:new()
encoder:registerTagEncoders(tagEncoder)
decoder:registerTagDecoders(tagDecoder)

6
nselib/snmp.lua
View File

@@ -444,7 +444,7 @@ Helper = {
self.__index = self
o.host = host
o.port = port
o.community = community or "public"
if community == nil then
local creds_store = creds.Credentials:new(creds.ALL_DATA, host, port)
@@ -461,7 +461,7 @@ Helper = {
timeout = 5000,
version = 0
}
return o
end,
@@ -558,7 +558,7 @@ Helper = {
while ( snmpdata and snmpdata[1] and snmpdata[1][1] and snmpdata[1][2] ) do
oid = snmpdata[1][2]
if not oid:match(base_oid) or base_oid == oid then break end
table.insert(snmp_table, { oid = oid, value = snmpdata[1][1] })
local _ -- NSE don't want you to use global even if it is _
_, snmpdata = self:getnext(options, oid)

6
nselib/sslcert.lua
View File

@@ -828,7 +828,7 @@ function getCertificate(host, port)
local cert
-- If we don't already know the service is TLS wrapped check to see if we
-- If we don't already know the service is TLS wrapped check to see if we
-- have to use a wrapper and do a manual handshake
local wrapper
if not ( port.version.service_tunnel == 'ssl' ) then
@@ -899,9 +899,9 @@ function getCertificate(host, port)
return false, "Unable to get cert"
end
else
-- If we don't already know the service is TLS wrapped check to see if
-- If we don't already know the service is TLS wrapped check to see if
-- there a specialized function for this port
local specialized
local specialized
if not ( port.version.service_tunnel == 'ssl' ) then
specialized = SPECIALIZED_PREPARE_TLS[port.service] or SPECIALIZED_PREPARE_TLS[port.number]
end

50
scripts/clamav-exec.nse
View File

@@ -1,5 +1,5 @@
local shortport = require "shortport"
local vulns = require "vulns"
local vulns = require "vulns"
local nmap = require "nmap"
local stdnse = require "stdnse"
local table = require "table"
@@ -8,14 +8,14 @@ local string = require "string"
local comm = require "comm"
description = [[
Exploits ClamAV servers vulnerable to unauthenticated clamav comand execution.
Exploits ClamAV servers vulnerable to unauthenticated clamav comand execution.
ClamAV server 0.99.2, and possibly other previous versions, allow the execution
of dangerous service commands without authentication. Specifically, the command 'SCAN'
may be used to list system files and the command 'SHUTDOWN' shut downs the
ClamAV server 0.99.2, and possibly other previous versions, allow the execution
of dangerous service commands without authentication. Specifically, the command 'SCAN'
may be used to list system files and the command 'SHUTDOWN' shut downs the
service. This vulnerability was discovered by Alejandro Hernandez (nitr0us).
This script without arguments test the availability of the command 'SCAN'.
This script without arguments test the availability of the command 'SCAN'.
Reference:
* https://twitter.com/nitr0usmx/status/740673507684679680
@@ -23,38 +23,38 @@ Reference:
]]
---
-- @usage
-- @usage
-- nmap -sV --script clamav-exec <target>
-- nmap --script clamav-exec --script-args cmd='scan',scandb='files.txt' <target>
-- nmap --script clamav-exec --script-args cmd='shutdown' <target>
--
--
-- @output
-- PORT STATE SERVICE VERSION
-- 3310/tcp open clam ClamAV 0.99.2 (21714)
-- | clamav-exec:
-- | clamav-exec:
-- | VULNERABLE:
-- | ClamAV Remote Command Execution
-- | State: VULNERABLE
-- | ClamAV 0.99.2, and possibly other previous versions, allow the execution of the
-- | clamav commands SCAN and SHUTDOWN without authentication. The command 'SCAN'
-- | may be used to enumerate system files and the command 'SHUTDOWN' shut downs the
-- | ClamAV 0.99.2, and possibly other previous versions, allow the execution of the
-- | clamav commands SCAN and SHUTDOWN without authentication. The command 'SCAN'
-- | may be used to enumerate system files and the command 'SHUTDOWN' shut downs the
-- | service. This vulnerability was discovered by Alejandro Hernandez (nitr0us).
-- |
-- |
-- | Disclosure date: 2016-06-8
-- | Extra information:
-- | SCAN command is enabled.
-- | References:
-- | https://bugzilla.clamav.net/show_bug.cgi?id=11585
-- |_ https://twitter.com/nitr0usmx/status/740673507684679680
-- @xmloutput
-- @xmloutput
-- <table key="NMAP-1">
-- <elem key="title">ClamAV Remote Command Execution</elem>
-- <elem key="state">VULNERABLE</elem>
-- <table key="description">
-- <elem>ClamAV 0.99.2, and possibly other previous versions, allow the execution
-- of the &#xa;clamav commands SCAN and SHUTDOWN without authentication.
-- The command &apos;SCAN&apos; &#xa;may be used to enumerate system files and
-- the command &apos;SHUTDOWN&apos; shut downs the &#xa;service.
-- <elem>ClamAV 0.99.2, and possibly other previous versions, allow the execution
-- of the &#xa;clamav commands SCAN and SHUTDOWN without authentication.
-- The command &apos;SCAN&apos; &#xa;may be used to enumerate system files and
-- the command &apos;SHUTDOWN&apos; shut downs the &#xa;service.
-- This vulnerability was discovered by Alejandro Hernandez (nitr0us).&#xa;</elem>
-- </table>
-- <table key="dates">
@@ -75,7 +75,7 @@ Reference:
-- </table>
--
-- @args clamav-exec.cmd Command to execute. Option: scan and shutdown
-- @args clamav-exec.scandb Database to file list.
-- @args clamav-exec.scandb Database to file list.
---
author = "Paulino Calderon <calderon()websec.mx>"
@@ -112,7 +112,7 @@ local function scan(host, port, file)
stdnse.debug1("SCAN command enabled.")
return true, nil
end
else
else
status, data = comm.exchange(host, port, "SCAN " .. file)
if not status then
stdnse.debug1("Failed to send 'SCAN %s' command:%s", file, data)
@@ -164,9 +164,9 @@ action = function(host, port)
title = 'ClamAV Remote Command Execution',
state = vulns.STATE.NOT_VULN,
description = [[
ClamAV 0.99.2, and possibly other previous versions, allow the execution of the
clamav commands SCAN and SHUTDOWN without authentication. The command 'SCAN'
may be used to enumerate system files and the command 'SHUTDOWN' shut downs the
ClamAV 0.99.2, and possibly other previous versions, allow the execution of the
clamav commands SCAN and SHUTDOWN without authentication. The command 'SCAN'
may be used to enumerate system files and the command 'SHUTDOWN' shut downs the
service. This vulnerability was discovered by Alejandro Hernandez (nitr0us).
]],
references = {
@@ -205,10 +205,10 @@ service. This vulnerability was discovered by Alejandro Hernandez (nitr0us).
elseif cmd == "shutdown" then
status = shutdown(host, port)
if status then
vuln.extra_info = "SHUTDOWN command sent succesfully."
vuln.extra_info = "SHUTDOWN command sent succesfully."
vuln.state = vulns.STATE.VULN
end
else
else
status, files = scan(host, port, nil)
if status then
vuln.extra_info = "SCAN command is enabled."

10
scripts/hnap-info.nse
View File

@@ -7,7 +7,7 @@ local nmap = require "nmap"
description = [[
Retrieve hardwares details and configuration information utilizing HNAP, the "Home Network Administration Protocol".
It is an HTTP-Simple Object Access Protocol (SOAP)-based protocol which allows for remote topology discovery,
It is an HTTP-Simple Object Access Protocol (SOAP)-based protocol which allows for remote topology discovery,
configuration, and management of devices (routers, cameras, PCs, NAS, etc.)]]
---
@@ -17,7 +17,7 @@ configuration, and management of devices (routers, cameras, PCs, NAS, etc.)]]
-- @output
-- PORT STATE SERVICE REASON
-- 8080/tcp open http-proxy syn-ack
-- | hnap-info:
-- | hnap-info:
-- | Type: GatewayWithWiFi
-- | Device: Ingraham
-- | Vendor: Linksys
@@ -25,7 +25,7 @@ configuration, and management of devices (routers, cameras, PCs, NAS, etc.)]]
-- | Model: E1200
-- | Firmware: 1.0.00 build 11
-- | Presentation URL: http://192.168.1.1/
-- | SOAPACTIONS:
-- | SOAPACTIONS:
-- | http://purenetworks.com/HNAP1/IsDeviceReady
-- | http://purenetworks.com/HNAP1/GetDeviceSettings
-- | http://purenetworks.com/HNAP1/SetDeviceSettings
@@ -104,10 +104,10 @@ function action (host, port)
closeElement = function(name) parser._call.text = function() return nil end end
}
parser:parseSAX(response.body, {stripWhitespace=true})
-- exit if the parser does not return output
if not next(output) then return nil end
-- set the port verson
port.version.name = "hnap"
port.version.name_confidence = 10

120
scripts/http-aspnet-debug.nse
View File

@@ -1,60 +1,60 @@
local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
description = [[
Determines if a ASP.NET application has debugging enabled using a HTTP DEBUG request.
The HTTP DEBUG verb is used within ASP.NET applications to start/stop remote
debugging sessions. The script sends a 'stop-debug' command to determine the
application's current configuration state but access to RPC services is required
to interact with the debugging session. The request does not change the
application debugging configuration.
]]
---
-- @usage nmap --script http-debug <target>
-- @usage nmap --script http-debug --script-args http-aspnet-debug.path=/path <target>
--
-- @args http-debug.path Path to URI. Default: /
--
-- @output
-- 80/tcp open http syn-ack
-- | http-aspnet-debug:
-- |_ status: DEBUG is enabled
--
-- @xmloutput
-- <elem key="status">DEBUG is enabled</elem>
---
author = "Josh Amishav-Zlatin"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = { "vuln", "discovery" }
portrule = shortport.http
local function generate_http_debug_req(host, port, path)
local status = false
local options = {header={}}
options["header"]["Command"] = "stop-debug"
options["redirect_ok"] = 2
-- send DEBUG request with stop-debug command
local req = http.generic_request(host, port, "DEBUG", path, options)
stdnse.debug1("Response body: %s", req.body )
if req.body:match("OK") then
status = true
end
return status
end
action = function(host, port)
local output = stdnse.output_table()
local path = stdnse.get_script_args(SCRIPT_NAME .. ".path") or "/"
local status = generate_http_debug_req(host, port, path)
if status then
output.status = "DEBUG is enabled"
return output
end
end
local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
description = [[
Determines if a ASP.NET application has debugging enabled using a HTTP DEBUG request.
The HTTP DEBUG verb is used within ASP.NET applications to start/stop remote
debugging sessions. The script sends a 'stop-debug' command to determine the
application's current configuration state but access to RPC services is required
to interact with the debugging session. The request does not change the
application debugging configuration.
]]
---
-- @usage nmap --script http-debug <target>
-- @usage nmap --script http-debug --script-args http-aspnet-debug.path=/path <target>
--
-- @args http-debug.path Path to URI. Default: /
--
-- @output
-- 80/tcp open http syn-ack
-- | http-aspnet-debug:
-- |_ status: DEBUG is enabled
--
-- @xmloutput
-- <elem key="status">DEBUG is enabled</elem>
---
author = "Josh Amishav-Zlatin"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = { "vuln", "discovery" }
portrule = shortport.http
local function generate_http_debug_req(host, port, path)
local status = false
local options = {header={}}
options["header"]["Command"] = "stop-debug"
options["redirect_ok"] = 2
-- send DEBUG request with stop-debug command
local req = http.generic_request(host, port, "DEBUG", path, options)
stdnse.debug1("Response body: %s", req.body )
if req.body:match("OK") then
status = true
end
return status
end
action = function(host, port)
local output = stdnse.output_table()
local path = stdnse.get_script_args(SCRIPT_NAME .. ".path") or "/"
local status = generate_http_debug_req(host, port, path)
if status then
output.status = "DEBUG is enabled"
return output
end
end

4
scripts/http-backup-finder.nse
View File

@@ -96,7 +96,7 @@ action = function(host, port)
-- Check if we can use HEAD requests
local use_head = http.can_use_head(host, port, result_404)
local backups = {}
while(true) do
local status, r = crawler:crawl()
@@ -141,7 +141,7 @@ action = function(host, port)
else
response = http.get(host, port, escaped_link, {redirect_ok=false})
end
if http.page_exists(response, result_404, known_404, escaped_link, false) then
if ( not(parsed.port) ) then
table.insert(backups,

4
scripts/http-brute.nse
View File

@@ -22,8 +22,8 @@ the creds library, for other scripts to use.
-- @output
-- PORT STATE SERVICE REASON
-- 80/tcp open http syn-ack
-- | http-brute:
-- | Accounts:
-- | http-brute:
-- | Accounts:
-- | user:user - Valid credentials
-- |_ Statistics: Performed 123 guesses in 1 seconds, average tps: 123
--

2
scripts/http-cross-domain-policy.nse
View File

@@ -32,7 +32,7 @@ References:
-- @output
-- PORT STATE SERVICE REASON
-- 8080/tcp open http-proxy syn-ack
-- | http-crossdomainxml-slaxml:
-- | http-crossdomainxml-slaxml:
-- | VULNERABLE:
-- | Cross-domain policy file (crossdomain.xml)
-- | State: VULNERABLE

6
scripts/http-form-fuzzer.nse
View File

@@ -130,7 +130,7 @@ local function fuzz_form(form, minlen, maxlen, host, port, path)
else
sending_function = function(data) return http.get(host, port, form_submission_path.."?"..url.build_query(data), {no_cache=true, bypass_cache=true}) end
end
local function fuzz_field(field)
local affected_string = {}
local affected_int = {}
@@ -138,14 +138,14 @@ local function fuzz_form(form, minlen, maxlen, host, port, path)
for i=minlen,maxlen do -- maybe a better idea would be to increment the string's length by more then 1 in each step
local response_string
local response_number
--first try to fuzz with a string
postdata[field["name"]] = stdnse.generate_random_string(i, charset)
response_string = sending_function(postdata)
--then with a number
postdata[field["name"]] = stdnse.generate_random_string(i, charset_number)
response_number = sending_function(postdata)
if check_response(response_string) then
affected_string[#affected_string+1]=i
elseif request_too_big(response_string) then

20
scripts/http-grep.nse
View File

@@ -22,15 +22,15 @@ The script searches for email and ip by default.
-- @output
-- PORT STATE SERVICE REASON
-- 80/tcp open http syn-ack
-- | http-grep:
-- | (1) http://nmap.org/book/man-bugs.html:
-- | (1) email:
-- | http-grep:
-- | (1) http://nmap.org/book/man-bugs.html:
-- | (1) email:
-- | + dev@nmap.org
-- | (1) http://nmap.org/book/install.html:
-- | (1) email:
-- | (1) http://nmap.org/book/install.html:
-- | (1) email:
-- | + fyodor@nmap.org
-- | (16) http://nmap.org/changelog.html:
-- | (7) ip:
-- | (16) http://nmap.org/changelog.html:
-- | (7) ip:
-- | + 255.255.255.255
-- | + 10.99.24.140
-- | + 74.125.53.103
@@ -38,7 +38,7 @@ The script searches for email and ip by default.
-- | + 203.65.42.255
-- | + 192.31.33.7
-- | + 168.0.40.135
-- | (9) email:
-- | (9) email:
-- | + d1n@inbox.com
-- | + fyodor@insecure.org
-- | + uce@ftc.gov
@@ -48,8 +48,8 @@ The script searches for email and ip by default.
-- | + president@whitehouse.gov
-- | + haesslich@loyalty.org
-- | + rchong@fcc.gov
-- | (6) http://nmap.org/5/#5changes:
-- | (6) ip:
-- | (6) http://nmap.org/5/#5changes:
-- | (6) ip:
-- | + 207.68.200.30
-- | + 64.13.134.52
-- | + 4.68.105.6

6
scripts/http-internal-ip-disclosure.nse
View File

@@ -20,7 +20,7 @@ versions of Microsoft IIS, but affects other web servers as well.
--
-- @output
-- 80/tcp open http syn-ack
-- | http-internal-ip-disclosure:
-- | http-internal-ip-disclosure:
-- |_ Internal IP Leaked: 10.0.0.2
--
-- @xmloutput
@@ -29,7 +29,7 @@ versions of Microsoft IIS, but affects other web servers as well.
author = "Josh Amishav-Zlatin"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = { "vuln", "discovery", "safe" }
categories = { "vuln", "discovery", "safe" }
portrule = shortport.http
@@ -81,7 +81,7 @@ action = function(host, port)
end
if IP then
output["Internal IP Leaked"] = IP
output["Internal IP Leaked"] = IP
return output
end
end

4
scripts/http-webdav-scan.nse
View File

@@ -27,12 +27,12 @@ This script takes inspiration from the various scripts listed here:
-- @output
-- PORT STATE SERVICE
-- 8008/tcp open http
-- | http-webdav-scan:
-- | http-webdav-scan:
-- | Allowed Methods: GET, HEAD, COPY, MOVE, POST, PUT, PROPFIND, PROPPATCH, OPTIONS, MKCOL, DELETE, TRACE, REPORT
-- | Server Type: DAV/0.9.8 Python/2.7.6
-- | Server Date: Fri, 22 May 2015 19:28:00 GMT
-- | WebDAV type: unkown
-- | Directory Listing:
-- | Directory Listing:
-- | http://localhosft
-- | http://localhost:8008/WebDAVTest_b1tqTWeyRR
-- | http://localhost:8008/WebDAVTest_A0QWJb7hcK

2
scripts/http-wordpress-enum.nse
View File

@@ -188,7 +188,7 @@ action = function(host, port)
stdnse.debug1("Exiting due to ambiguous response from web server on %s:%s. All URIs return status 200.", host.ip, port.number)
return nil
end
-- search the website root for evidences of a Wordpress path
if not wp_root then
local target_index = http.get(host,port, "/")

2
scripts/ip-geolocation-maxmind.nse
View File

@@ -597,7 +597,7 @@ action = function(host,port)
if f_maxmind then
gi = assert( GeoIP:new(f_maxmind), "Wrong file specified for a Maxmind database")
else
gi = assert( GeoIP:new(nmap.fetchfile("nselib/data/GeoLiteCity.dat")),
gi = assert( GeoIP:new(nmap.fetchfile("nselib/data/GeoLiteCity.dat")),
"Cannot read GeoLiteCity.dat in 'nselib/data/'. Download the database from http://dev.maxmind.com/geoip/legacy/geolite/.")
end
local out = gi:output_record_by_addr(host.ip)

4
scripts/smb-vuln-conficker.nse
View File

@@ -7,7 +7,7 @@ local table = require "table"
local vulns = require "vulns"
description = [[
Detects Microsoft Windows systems infected by the Conficker worm. This check is dangerous and
Detects Microsoft Windows systems infected by the Conficker worm. This check is dangerous and
it may crash systems.
Based loosely on the Simple Conficker Scanner, found here:
@@ -21,7 +21,7 @@ This check was previously part of smb-check-vulns.
-- nmap -sU --script smb-vuln-conficker.nse -p T:139 <host>
--
--@output
--| smb-vuln-conficker:
--| smb-vuln-conficker:
--| VULNERABLE:
--| Microsoft Windows system infected by Conficker
--| State: VULNERABLE

26
scripts/smb-vuln-cve2009-3103.nse
View File

@@ -11,8 +11,8 @@ Detects Microsoft Windows systems vulnerable to denial of service (CVE-2009-3103
This script will crash the service if it is vulnerable.
The script performs a denial-of-service against the vulnerability disclosed in
CVE-2009-3103. This works against Windows Vista and some versions of Windows 7,
and causes a bluescreen if successful. The proof-of-concept code at
CVE-2009-3103. This works against Windows Vista and some versions of Windows 7,
and causes a bluescreen if successful. The proof-of-concept code at
http://seclists.org/fulldisclosure/2009/Sep/39 was used, with one small change.
This check was previously part of smb-check-vulns.
@@ -25,17 +25,17 @@ This check was previously part of smb-check-vulns.
--
--@output
--Host script results:
--| smb-vuln-cve2009-3103:
--| smb-vuln-cve2009-3103:
--| VULNERABLE:
--| SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
--| State: VULNERABLE
--| IDs: CVE:CVE-2009-3103
--| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
--| Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
--| denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
--| PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
--| Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
--| Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
--| denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
--| PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
--| aka "SMBv2 Negotiation Vulnerability." NOTE: some of these details are obtained from third party information.
--|
--|
--| Disclosure date: 2009-09-08
--| References:
--| http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3103
@@ -147,11 +147,11 @@ action = function(host)
title = 'SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)',
state = vulns.STATE.NOT_VULN,
description = [[
Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
aka "SMBv2 Negotiation Vulnerability."
Array index error in the SMBv2 protocol implementation in srv2.sys in Microsoft Windows Vista Gold, SP1, and SP2,
Windows Server 2008 Gold and SP2, and Windows 7 RC allows remote attackers to execute arbitrary code or cause a
denial of service (system crash) via an & (ampersand) character in a Process ID High header field in a NEGOTIATE
PROTOCOL REQUEST packet, which triggers an attempted dereference of an out-of-bounds memory location,
aka "SMBv2 Negotiation Vulnerability."
]],
IDS = {CVE = 'CVE-2009-3103'},
references = {

12
scripts/smb-vuln-ms06-025.nse
View File

@@ -29,15 +29,15 @@ This script was previously part of smb-check-vulns.
-- nmap -sU --script smb-vuln-ms06-025.nse -p U:137,T:139 <host>
--
--@output
--| smb-vuln-ms06-025:
--| smb-vuln-ms06-025:
--| VULNERABLE:
--| RRAS Memory Corruption vulnerability (MS06-025)
--| State: VULNERABLE
--| IDs: CVE:CVE-2006-2370
--| A buffer overflow vulnerability in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1
--| and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to
--| A buffer overflow vulnerability in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1
--| and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to
--| execute arbitrary code via certain crafted "RPC related requests" aka the "RRAS Memory Corruption Vulnerability."
--|
--|
--| Disclosure date: 2006-6-27
--| References:
--| https://technet.microsoft.com/en-us/library/security/ms06-025.aspx
@@ -129,8 +129,8 @@ action = function(host)
title = 'RRAS Memory Corruption vulnerability (MS06-025)',
state = vulns.STATE.NOT_VULN,
description = [[
A buffer overflow vulnerability in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1
and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to
A buffer overflow vulnerability in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1
and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to
execute arbitrary code via certain crafted "RPC related requests" aka the "RRAS Memory Corruption Vulnerability."
]],
IDS = {CVE = 'CVE-2006-2370'},

22
scripts/smb-vuln-ms07-029.nse
View File

@@ -9,11 +9,11 @@ local vulns = require "vulns"
description = [[
Detects Microsoft Windows systems with Dns Server RPC vulnerable to MS07-029.
MS07-029 targets the <code>R_DnssrvQuery()</code> and <code>R_DnssrvQuery2()</code>
RPC method which isa part of DNS Server RPC interface that serves as a RPC service
for configuring and getting information from the DNS Server service.
DNS Server RPC service can be accessed using "\dnsserver" SMB named pipe.
The vulnerability is triggered when a long string is send as the "zone" parameter
MS07-029 targets the <code>R_DnssrvQuery()</code> and <code>R_DnssrvQuery2()</code>
RPC method which isa part of DNS Server RPC interface that serves as a RPC service
for configuring and getting information from the DNS Server service.
DNS Server RPC service can be accessed using "\dnsserver" SMB named pipe.
The vulnerability is triggered when a long string is send as the "zone" parameter
which causes the buffer overflow which crashes the service.
This check was previously part of smb-check-vulns.
@@ -25,15 +25,15 @@ This check was previously part of smb-check-vulns.
--
--@output
--Host script results:
--| smb-vuln-ms07-029:
--| smb-vuln-ms07-029:
--| VULNERABLE:
--| Windows DNS RPC Interface Could Allow Remote Code Execution (MS07-029)
--| State: VULNERABLE
--| IDs: CVE:CVE-2007-1748
--| A stack-based buffer overflow in the RPC interface in the Domain Name System (DNS) Server Service in
--| Microsoft Windows 2000 Server SP 4, Server 2003 SP 1, and Server 2003 SP 2 allows remote attackers to
--| A stack-based buffer overflow in the RPC interface in the Domain Name System (DNS) Server Service in
--| Microsoft Windows 2000 Server SP 4, Server 2003 SP 1, and Server 2003 SP 2 allows remote attackers to
--| execute arbitrary code via a long zone name containing character constants represented by escape sequences.
--|
--|
--| Disclosure date: 2007-06-06
--| References:
--| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1748
@@ -119,8 +119,8 @@ action = function(host)
title = 'Windows DNS RPC Interface Could Allow Remote Code Execution (MS07-029)',
state = vulns.STATE.NOT_VULN,
description = [[
A stack-based buffer overflow in the RPC interface in the Domain Name System (DNS) Server Service in
Microsoft Windows 2000 Server SP 4, Server 2003 SP 1, and Server 2003 SP 2 allows remote attackers to
A stack-based buffer overflow in the RPC interface in the Domain Name System (DNS) Server Service in
Microsoft Windows 2000 Server SP 4, Server 2003 SP 1, and Server 2003 SP 2 allows remote attackers to
execute arbitrary code via a long zone name containing character constants represented by escape sequences.
]],
IDS = {CVE = 'CVE-2007-1748'},

18
scripts/smb-vuln-ms08-067.nse
View File

@@ -7,12 +7,12 @@ local table = require "table"
local vulns = require "vulns"
description = [[
Detects Microsoft Windows systems vulnerable to the remote code execution vulnerability
Detects Microsoft Windows systems vulnerable to the remote code execution vulnerability
known as MS08-067. This check is dangerous and it may crash systems.
On a fairly wide scan conducted by Brandon Enright, we determined
that on average, a vulnerable system is more likely to crash than to survive
the check. Out of 82 vulnerable systems, 52 crashed.
the check. Out of 82 vulnerable systems, 52 crashed.
Please consider this before running the script.
This check was previously part of smb-check-vulns.nse.
@@ -23,15 +23,15 @@ This check was previously part of smb-check-vulns.nse.
-- nmap -sU --script smb-vuln-ms08-067.nse -p U:137 <host>
--
--@output
--| smb-vuln-ms08-067:
--| smb-vuln-ms08-067:
--| VULNERABLE:
--| Microsoft Windows system vulnerable to remote code execution (MS08-067)
--| State: VULNERABLE
--| IDs: CVE:CVE-2008-4250
--| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
--| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
--| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
--| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
--| code via a crafted RPC request that triggers the overflow during path canonicalization.
--|
--|
--| Disclosure date: 2008-10-23
--| References:
--| https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
@@ -75,7 +75,7 @@ local INFECTED = 5
--@param host The host object.
--@return (status, result) If status is false, result is an error code; otherwise, result is either
-- <code>VULNERABLE</code> for vulnerable, <code>PATCHED</code> for not vulnerable,
-- <code>UNKNOWN</code> if there was an error (likely vulnerable),
-- <code>UNKNOWN</code> if there was an error (likely vulnerable),
-- and <code>INFECTED</code> if it was patched by Conficker.
function check_ms08_067(host)
local status, smbstate
@@ -125,8 +125,8 @@ action = function(host)
title = 'Microsoft Windows system vulnerable to remote code execution (MS08-067)',
state = vulns.STATE.NOT_VULN,
description = [[
The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
code via a crafted RPC request that triggers the overflow during path canonicalization.
]],
IDS = {CVE = 'CVE-2008-4250'},

20
scripts/smb-vuln-regsvc-dos.nse
View File

@@ -7,11 +7,11 @@ local table = require "table"
local vulns = require "vulns"
description = [[
Checks if a Microsoft Windows 2000 system is vulnerable to a crash in regsvc caused by a null pointer
dereference. This check will crash the service if it is vulnerable and requires a guest account or
Checks if a Microsoft Windows 2000 system is vulnerable to a crash in regsvc caused by a null pointer
dereference. This check will crash the service if it is vulnerable and requires a guest account or
higher to work.
The vulnerability was discovered by Ron Bowes while working on <code>smb-enum-sessions</code> and
The vulnerability was discovered by Ron Bowes while working on <code>smb-enum-sessions</code> and
was reported to Microsoft (Case #MSRC8742).
This check was previously part of smb-check-vulns.
@@ -22,14 +22,14 @@ This check was previously part of smb-check-vulns.
-- nmap -sU --script smb-vuln-regsvc-dos.nse -p U:137,T:139 <host>
--
--@output
--| smb-vuln-regsvc-dos:
--| smb-vuln-regsvc-dos:
--| VULNERABLE:
--| Service regsvc in Microsoft Windows systems vulnerable to denial of service
--| State: VULNERABLE
--| The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
--| pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
--| The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
--| pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
--| while working on smb-enum-sessions.
--|_
--|_
---
author = {"Ron Bowes", "Jiayi Ye", "Paulino Calderon <calderon()websec.mx>"}
@@ -62,7 +62,7 @@ local PATCHED = 2
--
--@param host The host object.
--@return (status, result) If status is false, result is an error code; otherwise, result is either
-- <code>VULNERABLE</code> for vulnerable or <code>PATCHED</code> for not vulnerable.
-- <code>VULNERABLE</code> for vulnerable or <code>PATCHED</code> for not vulnerable.
function check_winreg_Enum_crash(host)
local i, j
local elements = {}
@@ -107,8 +107,8 @@ action = function(host)
title = 'Service regsvc in Microsoft Windows systems vulnerable to denial of service',
state = vulns.STATE.NOT_VULN,
description = [[
The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
while working on smb-enum-sessions.
]]
}