Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / modules / nessus-2.2.8.mo / usr / lib / nessus / plugins / l2tpd_overflow2.nasl < prev next >

Wrap

Text File | 2005-01-14 | 2KB | 69 lines

# # (C) Tenable Network Security # # if (description) { script_id(13659); script_bugtraq_id(10466); script_cve_id("CAN-2004-0649"); if ( defined_func("script_xref") ) script_xref(name:"OSVDB", value:"6726"); script_version ("$Revision: 1.3 $"); script_name(english:"l2tpd < 0.69 overflow"); desc["english"] = " The remote host is running a version of l2tpd which is older or equal to 0.68. This version is vulnerable to a buffer overflow which might allow an attacker to execute arbitrary commands on the remote host with super-user privileges. Solution : upgrade to l2tpd 0.69 or newer Risk factor : High"; script_description(english:desc["english"]); script_summary(english:"Determines the version of the remote l2tpd"); script_category(ACT_GATHER_INFO); script_family(english:"Gain root remotely"); script_copyright(english:"This script is Copyright (C) 2004 Tenable Network Security"); exit(0); } function find_firmware(rep) { local_var i, firmware; for(i=12;i<strlen(rep);i++) { len = ord(rep[i]) * 256 + ord(rep[i+1]); if(ord(rep[i]) & 0x80)len -= 0x80 * 256; if(ord(rep[i+5]) == 6) { firmware = ord(rep[i+6]) * 256 + ord(rep[i+7]); return firmware; } else i += len - 1; } return NULL; } req = raw_string(0xC8, 2, 0, 20, 0, 0, 0, 0,0,0,0,0,0,8, 0,0,0,0,0,0); soc = open_sock_udp(1701); send(socket:soc, data:req); r = recv(socket:soc, length:1024); if(!r)exit(0); close(soc); if(("l2tpd" >< r) || ("Adtran" >< r)) { firmware = find_firmware(rep:r); hi = firmware / 256; lo = firmware % 256; if((hi == 0x06) && (lo < 0x90))security_hole(port:1701, proto:"udp"); }