PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-15 20:29:03 +00:00
Code Issues Projects Releases Wiki Activity

Updated Conficker.D-detection code

Browse Source
This commit is contained in:
ron
2009-04-17 01:09:29 +00:00
parent 14f2c0c6db
commit dd9f063b1f
1 changed files with 14 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
scripts/smb-check-vulns.nse
View File

@@ -219,34 +219,32 @@ function check_conficker(host)
return false, bind_result
end
-- Call netpathcanonicalize
local path = "\\..\\"
local error_result
status, netpathcanonicalize_result, error_result = msrpc.srvsvc_netpathcanonicalize(smbstate, host.ip, path)
-- Try checking a valid string to find Conficker.D
status, netpathcanonicalize_result, error_result = msrpc.srvsvc_netpathcanonicalize(smbstate, host.ip, "\\")
if(status == true and netpathcanonicalize_result['can_path'] == 0x5c45005c) then
msrpc.stop_smb(smbstate)
return true, INFECTED2
end
-- Try checking an illegal string ("\..\") to find Conficker.C and earlier
local error_result
status, netpathcanonicalize_result, error_result = msrpc.srvsvc_netpathcanonicalize(smbstate, host.ip, "\\..\\")
-- Stop the SMB session
msrpc.stop_smb(smbstate)
if(status == false) then
if(string.find(netpathcanonicalize_result, "INVALID_NAME")) then
msrpc.stop_smb(smbstate)
return true, CLEAN
--elseif(string.find(netpathcanonicalize_result, "UNKNOWN_57") ~= nil and error_result['can_path'] == 0x5c450000) then
elseif(string.find(netpathcanonicalize_result, "UNKNOWN_57") ~= nil) then
msrpc.stop_smb(smbstate)
return true, INFECTED
else
msrpc.stop_smb(smbstate)
return false, netpathcanonicalize_result
end
end
-- Try a check that supposedly finds Conficker.E
local path = "\\"
local error_result
status, netpathcanonicalize_result, error_result = msrpc.srvsvc_netpathcanonicalize(smbstate, host.ip, path)
-- Stop the SMB session
msrpc.stop_smb(smbstate)
if(error_result['can_path'] == 0x5c45005c) then
return true, INFECTED2
end
return true, CLEAN
end
@@ -345,7 +343,7 @@ action = function(host)
response = response .. "Conficker: Likely INFECTED\n"
found = true
elseif(result == INFECTED2) then
response = response .. "Conficker: Likely INFECTED (by Conficker.D or higher)"
response = response .. "Conficker: Likely INFECTED (by Conficker.D or higher)\n"
found = true
else
response = response .. "Conficker: Unknown response received (" .. result .. ")"