⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 msrpc_dcom.nasl

📁 漏洞扫描源码,可以扫描linux,windows,交换机路由器
💻 NASL
字号:
🔍 
#### # This script was written by KK Liu # [LSD] Critical security vulnerability in Microsoft Operating Systems # Check methods based on Eeye's MSRPC scanner 1.03# # Updated 7/29/2003 - Now works for NT4# Updated 8/13/2003 - Now works for Win 95/98/ME##if(description){ script_id(11808); script_bugtraq_id(8205); script_cve_id("CAN-2003-0352"); if(defined_func("script_xref"))script_xref(name:"IAVA", value:"2003-A-0011"); script_version ("$Revision: 38 $");  name["english"] = "Microsoft RPC Interface Buffer Overrun (823980)"; script_name(english:name["english"]);  desc["english"] = "The remote host is running a version of Windows which has a flaw in its RPC interface which may allow an attacker to execute arbitrary code and gain SYSTEM privileges.  There is at least one Worm which is currently exploiting this vulnerability.  Namely, the MsBlaster worm.  Solution: see http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx  Risk factor : High";  script_description(english:desc["english"]);  summary["english"] = "[LSD] Critical security vulnerability in Microsoft Operating Systems"; script_summary(english:summary["english"]);  script_category(ACT_ATTACK);  script_copyright(english:"This script is Copyright (C) 2003 KK LIU"); family["english"] = "Gain root remotely"; script_family(english:family["english"]); script_dependencies("msrpc_dcom2.nasl"); script_require_ports("Services/msrpc", 135, 593);  exit(0);}## The script code starts here##if(!get_kb_item("Launched/11835"))exit(0);if(get_kb_item("SMB/KB824146"))exit(0);if(get_kb_item("SMB/KB824146_cant_be_verified"))exit(0);function dcom_recv(socket){ local_var buf, len;  buf = recv(socket:socket, length:9); if(strlen(buf) != 9)return NULL;  len = ord(buf[8]); buf += recv(socket:socket, length:len - 9); return buf;} debug = 0;bindwinme = raw_string(0x05,0x00,0x0b,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x53,0x53,0x56,0x41,0xd0,0x16,0xd0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0xe6,0x73,0x0c,0xe6,0xf9,0x88,0xcf,0x11,0x9a,0xf1,0x00,0x20,0xaf,0x6e,0x72,0xf4,0x02,0x00,0x00,0x00,0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60,0x02,0x00,0x00,0x00);bindstr = raw_string(0x05,0x00,0x0b,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x53,0x53,0x56,0x41,0xd0,0x16,0xd0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0xb8,0x4a,0x9f,0x4d,0x1c,0x7d,0xcf,0x11,0x86,0x1e,0x00,0x20,0xaf,0x6e,0x7c,0x57,0x00,0x00,0x00,0x00,0x04,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x08,0x00,0x2b,0x10,0x48,0x60,0x02,0x00,0x00,0x00);request= raw_string(0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xc6,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xae,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x05,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x5b,0x4e,0x45,0x53,0x53,0x55,0x53,0x5d,0x5b,0x4e,0x45,0x53,0x53,0x55,0x53,0x5d,0x00,0x00,0x00,0x00,0x53,0x53,0x56,0x41,0x32,0x30,0x30,0x33,0x53,0x53,0x56,0x41,0x32,0x30,0x30,0x33,0x68,0x0f,0x0b,0x00,0x1e,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x1e,0x00,0x00,0x00,0x5c,0x00,0x5c,0x00,0x53,0x4f,0x43,0x00,0x00,0x00,0x00,0x00,0x63,0x00,0x24,0x00,0x5c,0x00,0x53,0x00,0x53,0x00,0x56,0x00,0x41,0x00,0x5f,0x00,0x32,0x00,0x30,0x00,0x30,0x00,0x33,0x00,0x5f,0x00,0x4e,0x00,0x45,0x00,0x53,0x00,0x53,0x00,0x45,0x00,0x53,0x00,0x2e,0x00,0x74,0x00,0x78,0x00,0x74,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0xb8,0xeb,0x0b,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x07,0x00);chk[0] = raw_string (0x00,0x04,0x00,0x08); chk[1] = raw_string (0x00,0x05,0x00,0x07);chk[2] = raw_string (0x00,0x00,0x20,0x00);chk[3] = raw_string (0x02,0x00,0x01,0x00);report = "";port = 135;if(!get_port_state(port)){ port = 593;}else{ soc = open_sock_tcp(port); if(!soc)port = 593; else close(soc);}if(get_port_state(port)){    soc = open_sock_tcp(port);	if(soc)	{	    send(socket:soc,data:bindwinme);            rwinme  = dcom_recv(socket:soc);            if(!strlen(rwinme))exit(0);	    lenwinme = strlen(rwinme);	    stubwinme = substr(rwinme, lenwinme-24, lenwinme-21);	    if (debug)	    {	    	display('len = ', lenwinme, '\n');		display('stub  = ', hexstr(stubwinme), '\n');		display('r = ', hexstr(rwinme), '\n');	    }	    if (stubwinme >< chk[3])	    {	    	if (debug) display("Windows 95/98/ME found secure!\n");		exit(0);            }	    close(soc);	}	soc = open_sock_tcp(port);	if(soc)	{	    send(socket:soc, data:bindstr);	    r  = dcom_recv(socket:soc);	    if(!strlen(r))exit(0);	    send(socket:soc, data:request);	    r  = dcom_recv(socket:soc);	    if(!strlen(r))	    {	    	exit(0);	    }	    close(soc);	    	    len = strlen(r);	    stub = substr(r, len-25, len-22);	    if (debug) 	    {	    	display('running second test\n');	    	display('len  = ', len, '\n');		display('r = ', hexstr(r), '\n');	    	display('stub = ', hexstr(stub),  '\n');	    }		if ((stub >!< chk[0]) && (stub >!< chk[1]) && (stub >!< chk[2]))		{	        if (debug) display("Warning: Vulnerable MSRPC host found!\n");		security_hole(port:port);		}     }}

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -