From dd9f063b1f65429c85e71aa6429c68950b09ebca Mon Sep 17 00:00:00 2001 From: ron Date: Fri, 17 Apr 2009 01:09:29 +0000 Subject: [PATCH] Updated Conficker.D-detection code --- scripts/smb-check-vulns.nse | 30 ++++++++++++++---------------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/scripts/smb-check-vulns.nse b/scripts/smb-check-vulns.nse index b4b93719a..ec2727239 100644 --- a/scripts/smb-check-vulns.nse +++ b/scripts/smb-check-vulns.nse @@ -219,34 +219,32 @@ function check_conficker(host) return false, bind_result end - -- Call netpathcanonicalize - local path = "\\..\\" - local error_result - status, netpathcanonicalize_result, error_result = msrpc.srvsvc_netpathcanonicalize(smbstate, host.ip, path) + -- Try checking a valid string to find Conficker.D + status, netpathcanonicalize_result, error_result = msrpc.srvsvc_netpathcanonicalize(smbstate, host.ip, "\\") + if(status == true and netpathcanonicalize_result['can_path'] == 0x5c45005c) then + msrpc.stop_smb(smbstate) + return true, INFECTED2 + end + + -- Try checking an illegal string ("\..\") to find Conficker.C and earlier + local error_result + status, netpathcanonicalize_result, error_result = msrpc.srvsvc_netpathcanonicalize(smbstate, host.ip, "\\..\\") - -- Stop the SMB session - msrpc.stop_smb(smbstate) if(status == false) then if(string.find(netpathcanonicalize_result, "INVALID_NAME")) then + msrpc.stop_smb(smbstate) return true, CLEAN - --elseif(string.find(netpathcanonicalize_result, "UNKNOWN_57") ~= nil and error_result['can_path'] == 0x5c450000) then elseif(string.find(netpathcanonicalize_result, "UNKNOWN_57") ~= nil) then + msrpc.stop_smb(smbstate) return true, INFECTED else + msrpc.stop_smb(smbstate) return false, netpathcanonicalize_result end end - -- Try a check that supposedly finds Conficker.E - local path = "\\" - local error_result - status, netpathcanonicalize_result, error_result = msrpc.srvsvc_netpathcanonicalize(smbstate, host.ip, path) - -- Stop the SMB session msrpc.stop_smb(smbstate) - if(error_result['can_path'] == 0x5c45005c) then - return true, INFECTED2 - end return true, CLEAN end @@ -345,7 +343,7 @@ action = function(host) response = response .. "Conficker: Likely INFECTED\n" found = true elseif(result == INFECTED2) then - response = response .. "Conficker: Likely INFECTED (by Conficker.D or higher)" + response = response .. "Conficker: Likely INFECTED (by Conficker.D or higher)\n" found = true else response = response .. "Conficker: Unknown response received (" .. result .. ")"