diff --git a/CHANGELOG b/CHANGELOG index 25a04dca3..0e9de633f 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,9 @@ # Nmap Changelog ($Id$); -*-text-*- +o [NSE] New script smb-vuln-ms17-010 detects a critical remote code execution + vulnerability affecting SMBv1 servers in Microsoft Windows systems (ms17-010). + The script also reports patched systems. [Paulino Calderon] + o [NSE][GH#266][GH#704][GH#238][GH#883] NSE libraries smb and msrpc now use fully qualified paths. SMB scripts now work against all modern versions of Microsoft Windows. [Paulino Calderon] diff --git a/scripts/script.db b/scripts/script.db index f9ee1a7ed..6dfe1214d 100644 --- a/scripts/script.db +++ b/scripts/script.db @@ -468,6 +468,7 @@ Entry { filename = "smb-vuln-ms07-029.nse", categories = { "dos", "exploit", "in Entry { filename = "smb-vuln-ms08-067.nse", categories = { "dos", "exploit", "intrusive", "vuln", } } Entry { filename = "smb-vuln-ms10-054.nse", categories = { "dos", "intrusive", "vuln", } } Entry { filename = "smb-vuln-ms10-061.nse", categories = { "intrusive", "vuln", } } +Entry { filename = "smb-vuln-ms17-010.nse", categories = { "safe", "vuln", } } Entry { filename = "smb-vuln-regsvc-dos.nse", categories = { "dos", "exploit", "intrusive", "vuln", } } Entry { filename = "smbv2-enabled.nse", categories = { "default", "safe", } } Entry { filename = "smtp-brute.nse", categories = { "brute", "intrusive", } } diff --git a/scripts/smb-vuln-ms17-010.nse b/scripts/smb-vuln-ms17-010.nse new file mode 100644 index 000000000..b9b22c239 --- /dev/null +++ b/scripts/smb-vuln-ms17-010.nse @@ -0,0 +1,183 @@ +local smb = require "smb" +local vulns = require "vulns" +local stdnse = require "stdnse" +local string = require "string" + +description = [[ +Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code + execution vulnerability (ms17-010). + +The script connects to the $IPC tree, executes a transaction on FID 0 and + checks if the error "STATUS_INSUFF_SERVER_RESOURCES" is returned to + determine if the target is not patched against ms17-010. Additionally it checks + for known error codes returned by patched systems. + +Tested on Windows XP, 2003, 7, 8, 8.1, 10, 2008, 2012 and 2016. + +References: +* https://technet.microsoft.com/en-us/library/security/ms17-010.aspx +* https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ +* https://msdn.microsoft.com/en-us/library/ee441489.aspx +* https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb +* https://github.com/cldrn/nmap-nse-scripts/wiki/Notes-about-smb-vuln-ms17-010 +]] + +--- +-- @usage nmap -p445 --script smb-vuln-ms17-010 +-- @usage nmap -p445 --script vuln +-- +-- @output +-- Host script results: +-- | smb-vuln-ms17-010: +-- | VULNERABLE: +-- | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) +-- | State: VULNERABLE +-- | IDs: CVE:CVE-2017-0143 +-- | Risk factor: HIGH +-- | A critical remote code execution vulnerability exists in Microsoft SMBv1 +-- | servers (ms17-010). +-- | +-- | Disclosure date: 2017-03-14 +-- | References: +-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 +-- | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx +-- |_ https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ +-- +-- @xmloutput +-- +-- Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) +-- VULNERABLE +--
+-- CVE:CVE-2017-0143 +--
+-- +-- A critical remote code execution vulnerability exists in Microsoft SMBv1 servers (ms17-010). +--
+-- +--
+-- 03 +-- 2017 +-- 14 +--
+-- +-- 2017-03-14 +-- +-- https://technet.microsoft.com/en-us/library/security/ms17-010.aspx +-- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 +-- https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ +--
+-- +-- +-- @args smb-vuln-ms17-010.sharename Share name to connect. Default: IPC$ +--- + +author = "Paulino Calderon " +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"vuln", "safe"} + +hostrule = function(host) + return smb.get_port(host) ~= nil +end + +local function check_ms17010(host, port, sharename) + local status, smbstate = smb.start_ex(host, true, true, "\\\\".. host.ip .. "\\" .. sharename, nil, nil, nil) + if not status then + stdnse.debug1("Could not connect to '%s'", sharename) + return false, string.format("Could not connect to '%s'", sharename) + else + local overrides = {} + local smb_header, smb_params, smb_cmd + + stdnse.debug1("Connected to share '%s'", sharename) + + overrides['parameters_length'] = 0x10 + + --SMB_COM_TRANSACTION opcode is 0x25 + smb_header = smb.smb_encode_header(smbstate, 0x25, overrides) + smb_params = string.pack(">I2 I2 I2 I2 B B I2 I4 I2 I2 I2 I2 I2 B B I2 I2 I2 I2 I2 I2", + 0x0, -- Total Parameter count (2 bytes) + 0x0, -- Total Data count (2 bytes) + 0xFFFF, -- Max Parameter count (2 bytes) + 0xFFFF, -- Max Data count (2 bytes) + 0x0, -- Max setup Count (1 byte) + 0x0, -- Reserved (1 byte) + 0x0, -- Flags (2 bytes) + 0x0, -- Timeout (4 bytes) + 0x0, -- Reserved (2 bytes) + 0x0, -- ParameterCount (2 bytes) + 0x4a00, -- ParameterOffset (2 bytes) + 0x0, -- DataCount (2 bytes) + 0x4a00, -- DataOffset (2 bytes) + 0x02, -- SetupCount (1 byte) + 0x0, -- Reserved (1 byte) + 0x2300, -- PeekNamedPipe opcode + 0x0, -- + 0x0700, -- BCC (Length of "\PIPE\") + 0x5c50, -- \P + 0x4950, -- IP + 0x455c -- E\ + ) + stdnse.debug2("SMB: Sending SMB_COM_TRANSACTION") + result, err = smb.smb_send(smbstate, smb_header, smb_params, '', overrides) + if(result == false) then + stdnse.debug1("There was an error in the SMB_COM_TRANSACTION request") + return false, err + end + + result, smb_header, _, _ = smb.smb_read(smbstate) + _ , smb_cmd, err = string.unpack("=2 then + return err + end + end + return report:make_output(vuln) +end