home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / modules / nessus-2.2.8.mo / usr / lib / nessus / plugins / msrpc_dcom.nasl < prev    next >
Encoding:
Text File  |  2005-03-31  |  5.2 KB  |  179 lines
  1. ##
  2. #
  4. # This script was written by KK Liu 
  5. # [LSD] Critical security vulnerability in Microsoft Operating Systems 
  6. # Check methods based on Eeye's MSRPC scanner 1.03
  8. # Updated 7/29/2003 - Now works for NT4
  9. # Updated 8/13/2003 - Now works for Win 95/98/ME
  10. #
  11. #
  12.  
  13. if(description)
  14. {
  15.  script_id(11808);
  16.  script_bugtraq_id(8205);
  17.  script_cve_id("CAN-2003-0352");
  18.  if(defined_func("script_xref"))script_xref(name:"IAVA", value:"2003-A-0011");
  19.  script_version ("$Revision: 1.18 $");
  20.  
  21.  name["english"] = "Microsoft RPC Interface Buffer Overrun (823980)";
  22.  script_name(english:name["english"]);
  23.  
  24.  desc["english"] = "
  25. The remote host is running a version of Windows which has a flaw in 
  26. its RPC interface which may allow an attacker to execute arbitrary code 
  27. and gain SYSTEM privileges.  There is at least one Worm which is 
  28. currently exploiting this vulnerability.  Namely, the MsBlaster worm.
  29.  
  30.  Solution: see http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx 
  31.  Risk factor : High";
  32.  
  33.  script_description(english:desc["english"]);
  34.  
  35.  summary["english"] = "[LSD] Critical security vulnerability in Microsoft Operating Systems";
  36.  script_summary(english:summary["english"]);
  37.  
  38.  script_category(ACT_ATTACK);
  39.  
  40.  script_copyright(english:"This script is Copyright (C) 2003 KK LIU");
  41.  family["english"] = "Gain root remotely";
  42.  script_family(english:family["english"]);
  43.  script_dependencies("msrpc_dcom2.nasl");
  44.  script_require_ports("Services/msrpc", 135, 593); 
  45.  exit(0);
  46. }
  47.  
  48.  
  49.  
  50. #
  51. # The script code starts here
  52. #
  53.  
  54. #if(!get_kb_item("Launched/11835"))exit(0);
  55. if(get_kb_item("SMB/KB824146"))exit(0);
  56. if(get_kb_item("SMB/KB824146_cant_be_verified"))exit(0);
  57.  
  58. function dcom_recv(socket)
  59. {
  60.  local_var buf, len;
  61.  
  62.  buf = recv(socket:socket, length:9);
  63.  if(strlen(buf) != 9)return NULL;
  64.  
  65.  len = ord(buf[8]);
  66.  buf += recv(socket:socket, length:len - 9);
  67.  return buf;
  68. }
  69.  
  70.  
  71. debug = 0;
  72.  
  73. bindwinme = raw_string(
  74. 0x05,0x00,0x0b,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x53,0x53,0x56,0x41,
  75. 0xd0,0x16,0xd0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
  76. 0xe6,0x73,0x0c,0xe6,0xf9,0x88,0xcf,0x11,0x9a,0xf1,0x00,0x20,0xaf,0x6e,0x72,0xf4,
  77. 0x02,0x00,0x00,0x00,0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,
  78. 0x2b,0x10,0x48,0x60,0x02,0x00,0x00,0x00
  79. );
  80.  
  81. bindstr = raw_string(
  82. 0x05,0x00,0x0b,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x53,0x53,0x56,0x41,
  83. 0xd0,0x16,0xd0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
  84. 0xb8,0x4a,0x9f,0x4d,0x1c,0x7d,0xcf,0x11,0x86,0x1e,0x00,0x20,0xaf,0x6e,0x7c,0x57,
  85. 0x00,0x00,0x00,0x00,0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,
  86. 0x2b,0x10,0x48,0x60,0x02,0x00,0x00,0x00
  87. );
  88.  
  89. request= raw_string(
  90. 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xc6,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
  91. 0xae,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x05,0x00,0x01,0x00,0x00,0x00,0x00,0x00,
  92. 0x00,0x00,0x00,0x00,0x5b,0x4e,0x45,0x53,0x53,0x55,0x53,0x5d,0x5b,0x4e,0x45,0x53,
  93. 0x53,0x55,0x53,0x5d,0x00,0x00,0x00,0x00,0x53,0x53,0x56,0x41,0x32,0x30,0x30,0x33,
  94. 0x53,0x53,0x56,0x41,0x32,0x30,0x30,0x33,0x68,0x0f,0x0b,0x00,0x1e,0x00,0x00,0x00,
  95. 0x00,0x00,0x00,0x00,0x1e,0x00,0x00,0x00,0x5c,0x00,0x5c,0x00,0x53,0x4f,0x43,0x00,
  96. 0x00,0x00,0x00,0x00,0x63,0x00,0x24,0x00,0x5c,0x00,0x53,0x00,0x53,0x00,0x56,0x00,
  97. 0x41,0x00,0x5f,0x00,0x32,0x00,0x30,0x00,0x30,0x00,0x33,0x00,0x5f,0x00,0x4e,0x00,
  98. 0x45,0x00,0x53,0x00,0x53,0x00,0x45,0x00,0x53,0x00,0x2e,0x00,0x74,0x00,0x78,0x00,
  99. 0x74,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,
  100. 0x01,0x00,0x00,0x00,0xb8,0xeb,0x0b,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
  101. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
  102. 0x01,0x00,0x00,0x00,0x07,0x00
  103. );
  104.  
  105.  
  106. chk[0] = raw_string (0x00,0x04,0x00,0x08); 
  107. chk[1] = raw_string (0x00,0x05,0x00,0x07);
  108. chk[2] = raw_string (0x00,0x00,0x20,0x00);
  109. chk[3] = raw_string (0x02,0x00,0x01,0x00);
  110.  
  111. report = "";
  112. port = 135;
  113. if(!get_port_state(port))
  114. {
  115.  port = 593;
  116. }
  117. else
  118. {
  119.  soc = open_sock_tcp(port);
  120.  if(!soc)port = 593;
  121.  else close(soc);
  122. }
  123.  
  124. if(get_port_state(port))
  125. {
  126.     soc = open_sock_tcp(port);
  127.     if(soc)
  128.     {
  129.         send(socket:soc,data:bindwinme);
  130.             rwinme  = dcom_recv(socket:soc);
  131.             if(!strlen(rwinme))exit(0);
  132.         lenwinme = strlen(rwinme);
  133.         stubwinme = substr(rwinme, lenwinme-24, lenwinme-21);
  134.         if (debug)
  135.         {
  136.             display('len = ', lenwinme, '\n');
  137.         display('stub  = ', hexstr(stubwinme), '\n');
  138.         display('r = ', hexstr(rwinme), '\n');
  139.         }
  140.         if (stubwinme >< chk[3])
  141.         {
  142.             if (debug) display("Windows 95/98/ME found secure!\n");
  143.         exit(0);
  144.             }
  145.         close(soc);
  146.     }
  147.     soc = open_sock_tcp(port);
  148.     if(soc)
  149.     {
  150.         send(socket:soc, data:bindstr);
  151.         r  = dcom_recv(socket:soc);
  152.         if(!strlen(r))exit(0);
  153.         send(socket:soc, data:request);
  154.         r  = dcom_recv(socket:soc);
  155.         if(!strlen(r))
  156.         {
  157.             exit(0);
  158.         }
  159.         close(soc);
  160.         
  161.         len = strlen(r);
  162.         stub = substr(r, len-25, len-22);
  163.         if (debug) 
  164.         {
  165.             display('running second test\n');
  166.             display('len  = ', len, '\n');
  167.         display('r = ', hexstr(r), '\n');
  168.             display('stub = ', hexstr(stub),  '\n');
  169.         }
  170.         if ((stub >!< chk[0]) && (stub >!< chk[1]) && (stub >!< chk[2]))
  171.         {
  172.             if (debug) display("Warning: Vulnerable MSRPC host found!\n");
  173.         security_hole(port:port);
  174.         }
  175.  
  176.     }
  177. }
  178.  
  179.