home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / modules / nessus-2.2.8.mo / usr / lib / nessus / plugins / msrpc_dcom.nasl < prev    next >
Text File  |  2005-03-31  |  5KB  |  179 lines

  1. ##
  2. #
  3. # This script was written by KK Liu 
  4. # [LSD] Critical security vulnerability in Microsoft Operating Systems 
  5. # Check methods based on Eeye's MSRPC scanner 1.03
  6. # Updated 7/29/2003 - Now works for NT4
  7. # Updated 8/13/2003 - Now works for Win 95/98/ME
  8. #
  9. #
  10.  
  11. if(description)
  12. {
  13.  script_id(11808);
  14.  script_bugtraq_id(8205);
  15.  script_cve_id("CAN-2003-0352");
  16.  if(defined_func("script_xref"))script_xref(name:"IAVA", value:"2003-A-0011");
  17.  script_version ("$Revision: 1.18 $");
  18.  
  19.  name["english"] = "Microsoft RPC Interface Buffer Overrun (823980)";
  20.  script_name(english:name["english"]);
  21.  
  22.  desc["english"] = "
  23. The remote host is running a version of Windows which has a flaw in 
  24. its RPC interface which may allow an attacker to execute arbitrary code 
  25. and gain SYSTEM privileges.  There is at least one Worm which is 
  26. currently exploiting this vulnerability.  Namely, the MsBlaster worm.
  27.  
  28.  Solution: see http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx 
  29.  Risk factor : High";
  30.  
  31.  script_description(english:desc["english"]);
  32.  
  33.  summary["english"] = "[LSD] Critical security vulnerability in Microsoft Operating Systems";
  34.  script_summary(english:summary["english"]);
  35.  
  36.  script_category(ACT_ATTACK);
  37.  
  38.  script_copyright(english:"This script is Copyright (C) 2003 KK LIU");
  39.  family["english"] = "Gain root remotely";
  40.  script_family(english:family["english"]);
  41.  script_dependencies("msrpc_dcom2.nasl");
  42.  script_require_ports("Services/msrpc", 135, 593); 
  43.  exit(0);
  44. }
  45.  
  46.  
  47.  
  48. #
  49. # The script code starts here
  50. #
  51.  
  52. #if(!get_kb_item("Launched/11835"))exit(0);
  53. if(get_kb_item("SMB/KB824146"))exit(0);
  54. if(get_kb_item("SMB/KB824146_cant_be_verified"))exit(0);
  55.  
  56. function dcom_recv(socket)
  57. {
  58.  local_var buf, len;
  59.  
  60.  buf = recv(socket:socket, length:9);
  61.  if(strlen(buf) != 9)return NULL;
  62.  
  63.  len = ord(buf[8]);
  64.  buf += recv(socket:socket, length:len - 9);
  65.  return buf;
  66. }
  67.  
  68.  
  69. debug = 0;
  70.  
  71. bindwinme = raw_string(
  72. 0x05,0x00,0x0b,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x53,0x53,0x56,0x41,
  73. 0xd0,0x16,0xd0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
  74. 0xe6,0x73,0x0c,0xe6,0xf9,0x88,0xcf,0x11,0x9a,0xf1,0x00,0x20,0xaf,0x6e,0x72,0xf4,
  75. 0x02,0x00,0x00,0x00,0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,
  76. 0x2b,0x10,0x48,0x60,0x02,0x00,0x00,0x00
  77. );
  78.  
  79. bindstr = raw_string(
  80. 0x05,0x00,0x0b,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x53,0x53,0x56,0x41,
  81. 0xd0,0x16,0xd0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00,
  82. 0xb8,0x4a,0x9f,0x4d,0x1c,0x7d,0xcf,0x11,0x86,0x1e,0x00,0x20,0xaf,0x6e,0x7c,0x57,
  83. 0x00,0x00,0x00,0x00,0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,
  84. 0x2b,0x10,0x48,0x60,0x02,0x00,0x00,0x00
  85. );
  86.  
  87. request= raw_string(
  88. 0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xc6,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
  89. 0xae,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x05,0x00,0x01,0x00,0x00,0x00,0x00,0x00,
  90. 0x00,0x00,0x00,0x00,0x5b,0x4e,0x45,0x53,0x53,0x55,0x53,0x5d,0x5b,0x4e,0x45,0x53,
  91. 0x53,0x55,0x53,0x5d,0x00,0x00,0x00,0x00,0x53,0x53,0x56,0x41,0x32,0x30,0x30,0x33,
  92. 0x53,0x53,0x56,0x41,0x32,0x30,0x30,0x33,0x68,0x0f,0x0b,0x00,0x1e,0x00,0x00,0x00,
  93. 0x00,0x00,0x00,0x00,0x1e,0x00,0x00,0x00,0x5c,0x00,0x5c,0x00,0x53,0x4f,0x43,0x00,
  94. 0x00,0x00,0x00,0x00,0x63,0x00,0x24,0x00,0x5c,0x00,0x53,0x00,0x53,0x00,0x56,0x00,
  95. 0x41,0x00,0x5f,0x00,0x32,0x00,0x30,0x00,0x30,0x00,0x33,0x00,0x5f,0x00,0x4e,0x00,
  96. 0x45,0x00,0x53,0x00,0x53,0x00,0x45,0x00,0x53,0x00,0x2e,0x00,0x74,0x00,0x78,0x00,
  97. 0x74,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,
  98. 0x01,0x00,0x00,0x00,0xb8,0xeb,0x0b,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
  99. 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,
  100. 0x01,0x00,0x00,0x00,0x07,0x00
  101. );
  102.  
  103.  
  104. chk[0] = raw_string (0x00,0x04,0x00,0x08); 
  105. chk[1] = raw_string (0x00,0x05,0x00,0x07);
  106. chk[2] = raw_string (0x00,0x00,0x20,0x00);
  107. chk[3] = raw_string (0x02,0x00,0x01,0x00);
  108.  
  109. report = "";
  110. port = 135;
  111. if(!get_port_state(port))
  112. {
  113.  port = 593;
  114. }
  115. else
  116. {
  117.  soc = open_sock_tcp(port);
  118.  if(!soc)port = 593;
  119.  else close(soc);
  120. }
  121.  
  122. if(get_port_state(port))
  123. {
  124.     soc = open_sock_tcp(port);
  125.     if(soc)
  126.     {
  127.         send(socket:soc,data:bindwinme);
  128.             rwinme  = dcom_recv(socket:soc);
  129.             if(!strlen(rwinme))exit(0);
  130.         lenwinme = strlen(rwinme);
  131.         stubwinme = substr(rwinme, lenwinme-24, lenwinme-21);
  132.         if (debug)
  133.         {
  134.             display('len = ', lenwinme, '\n');
  135.         display('stub  = ', hexstr(stubwinme), '\n');
  136.         display('r = ', hexstr(rwinme), '\n');
  137.         }
  138.         if (stubwinme >< chk[3])
  139.         {
  140.             if (debug) display("Windows 95/98/ME found secure!\n");
  141.         exit(0);
  142.             }
  143.         close(soc);
  144.     }
  145.     soc = open_sock_tcp(port);
  146.     if(soc)
  147.     {
  148.         send(socket:soc, data:bindstr);
  149.         r  = dcom_recv(socket:soc);
  150.         if(!strlen(r))exit(0);
  151.         send(socket:soc, data:request);
  152.         r  = dcom_recv(socket:soc);
  153.         if(!strlen(r))
  154.         {
  155.             exit(0);
  156.         }
  157.         close(soc);
  158.         
  159.         len = strlen(r);
  160.         stub = substr(r, len-25, len-22);
  161.         if (debug) 
  162.         {
  163.             display('running second test\n');
  164.             display('len  = ', len, '\n');
  165.         display('r = ', hexstr(r), '\n');
  166.             display('stub = ', hexstr(stub),  '\n');
  167.         }
  168.         if ((stub >!< chk[0]) && (stub >!< chk[1]) && (stub >!< chk[2]))
  169.         {
  170.             if (debug) display("Warning: Vulnerable MSRPC host found!\n");
  171.         security_hole(port:port);
  172.         }
  173.  
  174.     }
  175. }
  176.  
  177.