smb_nt.inc

漏洞扫描源码,可以扫描linux,windows,交换机路由器

 x = 64 + strlen(uc);
 x_lo = x % 256;
 x_hi = x / 256;
 
 if(strlen(reply) < 17)exit(0);
 magic1 = raw_string(ord(reply[16]), ord(reply[17]));
 
 req = raw_string(0x00, 0x00,
 		  len_hi, len_lo, 0xFF, 0x53, 0x4D, 0x42, 0x25, 0x00,
		  0x00, 0x00, 0x00, 0x18, 0x03, 0x80)
		  +
		  magic1 +
		 raw_string(
		  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		  0x00, 0x00,tid_low, tid_high, 0x00, 0x28, uid_low, uid_high,
		  g_mlo, g_mhi, 0x10, 0x00, 0x00, x_lo, x_hi, 0x00,
		  0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00,
		  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x54,
		  0x00, x_lo, x_hi, 0x54, 0x00, 0x02, 0x00, 0x26,
		  0x00, pipe_low, pipe_high, y_lo, y_hi, 0x00, 0x5C, 0x00,
		  0x50, 0x00, 0x49, 0x00, 0x50, 0x00, 0x45, 0x00,
		  0x5C, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x05, 0x00,
		  0x00, 0x03, 0x10, 0x00, 0x00, 0x00, x_lo, x_hi,
		  0x00, 0x00, 0x97, 0x00, 0x00, 0x00, z_lo, z_hi,
		  0x00, 0x00, 0x00, 0x00, 0x08, 0x00);
		  
 magic = raw_string(ord(reply[84]));
 for(i=1;i<20;i=i+1)
 {
  magic = magic + raw_string(ord(reply[84+i]));
 }

 x = strlen(value) + strlen(value) + 2;
 x_lo = x % 256;
 x_hi = x / 256;
 
 req = req + magic + raw_string(x_lo, x_hi, x_lo, x_hi, 0x01, 0x00,
 		0x00, 0x00, key_len_lo, key_len_hi, 0x00, 0x00, 0x00,
		0x00, 0x00, 0x00, key_len_lo, key_len_hi, 0x00) +
		uc + raw_string(0);
		  

 send(socket:soc, data:req);
 r = smb_recv(socket:soc, length:4096);
 if(strlen(r) < 10)return(1);
 error = substr(r, strlen(r) - 4, strlen(r) - 1);
 
 return ( ( int(ord(error[3])) * 256 + int(ord(error[2])) ) * 256 + int(ord(error[1])) * 256 ) + int(ord(error[0]));
}
#--------------------------------------------------------------#
# RegShutdown()                                                #
#--------------------------------------------------------------#
function registry_shutdown(soc, uid, tid, pipe, message, timeout, reboot, closeapps )
{
 local_var _na_start, i, error, msg_len, msg_len_hi, msg_len_lo, tid_low, tid_high, uid_low, uid_high, pipe_low, pipe_high, uc;

 msg_len = strlen(message) + 1;
 msg_len_hi = msg_len / 256;
 msg_len_lo = msg_len % 256;
 
 
 tid_low = tid % 256;
 tid_high = tid / 256;
 uid_low = uid % 256;
 uid_high = uid / 256;
 pipe_low = pipe % 256;
 pipe_high = pipe / 256;
 uc = unicode4(data:message);
 
 len = 146 + strlen(uc);
 
 len_hi = len / 256;
 len_lo = len % 256;
 
 
 z = 38 + strlen(uc);
 z_lo = z % 256;
 z_hi = z / 256;
 
 y = 79 + strlen(uc);
 y_lo = y % 256;
 y_hi = y / 256;
 
 x = 62 + strlen(uc);
 x_lo = x % 256;
 x_hi = x / 256;
 
 
 req = raw_string(0x00, 0x00,
 		  len_hi, len_lo, 0xFF, 0x53, 0x4D, 0x42, 0x25, 0x00,
		  0x00, 0x00, 0x00, 0x18, 0x03, 0x80, 0x00, 0x00 ) +
		 raw_string(
		  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		  0x00, 0x00,tid_low, tid_high, 0x00, 0x28, uid_low, uid_high,
		  g_mlo, g_mhi, 0x10, 0x00, 0x00, x_lo, x_hi, 0x00,
		  0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00,
		  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x54,
		  0x00, x_lo, x_hi, 0x54, 0x00, 0x02, 0x00, 0x26,
		  0x00, pipe_low, pipe_high, y_lo, y_hi, 0x00, 0x5C, 0x00,
		  0x50, 0x00, 0x49, 0x00, 0x50, 0x00, 0x45, 0x00,
		  0x5C, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x05, 0x00,
		  0x00, 0x03, 0x10, 0x00, 0x00, 0x00, x_lo, x_hi,
		  0x00, 0x00, 0x02, 0x00, 0x00, 0x00, z_lo, z_hi,
		  0x00, 0x00, 0x00, 0x00, 0x18, 0x00);

 x = strlen(message) + strlen(message);
 x_lo = x % 256;
 x_hi = x / 256;
 y = x + 2;
 y_lo = y % 256;
 y_hi = y / 256;

 msg_len2 = msg_len - 1;
 msg_len2_lo = msg_len2 % 256;
 msg_len2_hi = msg_len2 / 256;

 req += raw_string( 0x01, 0x00, 0x00, 0x00,  # ptr_1
		    0x01, 0x00, 0x00, 0x00,  # ptr_2
		    0x01, 0x00, 0x00, 0x00,  # ptr_3
		    x_lo, x_hi,		     # uni_str_len
		    y_lo, y_hi,		     # max_str_len
		    0x01, 0x00, 0x00, 0x00,  # buffer
		    msg_len_lo, msg_len_hi, 0x00, 0x00,  # uni_max_len
		    0x00, 0x00, 0x00, 0x00 , # undoc
		    msg_len2_lo, msg_len2_hi, 0x00, 0x00  # str_max_len
	 );
		    
		  
 req += uc;
 req += raw_string(timeout % 256, (timeout/256) % 256, (timeout/(256*256)) % 256, timeout / (256*256*256));

 
 if ( closeapps ) req += raw_string(0x01);
 else req += raw_string(0x00);
 
 if ( reboot ) req += raw_string(0x01);
 else req += raw_string(0x00);

		  

 send(socket:soc, data:req);
 r = smb_recv(socket:soc, length:4096);
 if(strlen(r) < 10)return(1);
 error = substr(r, strlen(r) - 4, strlen(r) - 1);
 return ( ( int(ord(error[3])) * 256 + int(ord(error[2])) ) * 256 + int(ord(error[1])) * 256 ) + int(ord(error[0]));
}
#----------------------------------------------------------#
# RegEnumKey()                                             #
#----------------------------------------------------------#
function registry_enum_key(soc, uid, tid, pipe, reply)
{

 local_var magic, req, r, tid_low, tid_high, uid_low, uid_high, pipe_low, pipe_high, name, data, list, i, j;
 
 list = make_list();
 tid_low = tid % 256;
 tid_high = tid / 256;
 
 uid_low = uid % 256;
 uid_high = uid / 256;
 
 pipe_low = pipe % 256;
 pipe_high = pipe / 256;
 
 magic = raw_string(ord(reply[84]));		  
 for(i=1;i<20;i=i+1)
 {
  magic = magic + raw_string(ord(reply[84+i]));
 }

 for(j=0;j>=0;j++)
 {
 req = raw_string(0x00, 0x00, 0x00, 0xa8, 0xFF, 0x53, 
		  0x4D, 0x42, 0x25, 0x00, 0x00, 0x00, 0x00, 0x08,
		  0x01, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, tid_low, tid_high,
		  0x00, 0x28, uid_low, uid_high, g_mlo, g_mhi, 0x10, 0x00,
		  0x00, 0x5c, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00,
		  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		  0x00, 0x00, 0x00, 0x4c, 0x00, 0x5c, 0x00, 0x4c,
		  0x00, 0x02, 0x00, 0x26, 0x00, pipe_low, pipe_high, 0x65,
		  0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c, 0x00,
		  0x00, 0x00, 0x05, 0x00, 0x00, 0x03, 0x10, 0x00,
		  0x00, 0x00, 0x5c, 0x00, 0x00, 0x00, 0xff, 0x00,
		  0x00, 0x00, 0x44, 0x00, 0x00, 0x00, 0x00, 0x00,
		  0x09, 0x00); 
		  
		  
		  
  req2= magic + raw_string(
                  j % 256, j / 256, 0x00, 0x00,  # key ID
		  0x00, 0x00, 		    # key name len
		  0x14, 0x04,  		    # unknown
                  0x01, 0x00, 0x00, 0x00,   # ptr
		  0x0a, 0x02, 0x00, 0x00,   # unknown_2
                  0x00, 0x00, 0x00, 0x00,   # padding
		  0x00, 0x00, 0x00, 0x00,   # padding
                  0x01, 0x00, 0x00, 0x00,   # ptr2
                  0x00, 0x00, 0x00, 0x00,   # padding2
                  0x00, 0x00, 0x00, 0x00,   # padding2
		  0x01, 0x00, 0x00, 0x00,   # ptr3 
		  0xff, 0xff, 0xff, 0xff,   # smb_io_time low
	          0xff, 0xff, 0xff, 0x7f   # smb_io_time high
		  );

	
 req += req2;
 send(socket:soc, data:req);
 r = smb_recv(socket:soc, length:65535);
 if(strlen(r) < 80)return(NULL);

 len = ord(r[60+24+16]);
 if (!len)
   break;

 name = "";
 for (i=0;i<len - 1; i++)
    name += r[60+43+i*2+1];

 list = make_list(list, name);
 }

 return list;
}


#----------------------------------------------------------#
# RegEnumValue()                                           #
#----------------------------------------------------------#
# Author: Nicolas Pouvesle
function registry_enum_value(soc, uid, tid, pipe, reply)
{
 local_var magic, req, r, tid_low, tid_high, uid_low, uid_high, pipe_low, pipe_high, name, data, list, i, j;
 
 tid_low = tid % 256;
 tid_high = tid / 256;
 
 uid_low = uid % 256;
 uid_high = uid / 256;
 
 pipe_low = pipe % 256;
 pipe_high = pipe / 256;
 
 magic = raw_string(ord(reply[84]));		  
 for(i=1;i<20;i=i+1)
 {
  magic = magic + raw_string(ord(reply[84+i]));
 }

 for(j=0;j>=0;j++)
 {
 req = raw_string(0x00, 0x00,
 		  0x00, 0xC0, 0xFF, 0x53, 0x4D, 0x42, 0x25, 0x00,
		  0x00, 0x00, 0x00, 0x18, 0x03, 0x80, 0x00, 0x83,
		  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		  0x00, 0x00, tid_low, tid_high, 0x00, 0x28, uid_low, uid_high,
		  g_mlo, g_mhi, 0x10, 0x00, 0x00, 0x6C, 0x00, 0x00,
		  0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00,
		  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x54,
		  0x00, 0x6C, 0x00, 0x54, 0x00, 0x02, 0x00, 0x26,
		  0x00, pipe_low, pipe_high, 0x59, 0x00, 0x00, 0x5C, 0x00,
		  0x50, 0x00, 0x49, 0x00, 0x50, 0x00, 0x45, 0x00,
		  0x5C, 0x00, 0x00, 0x00, 0xEE, 0xD5, 0x05, 0x00,
		  0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0x6C, 0x00,
		  0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x30, 0x00,
		  0x00, 0x00, 0x00, 0x00, 0x0A, 0x00);
		  
  req = req + magic + raw_string(
                  j % 256, j / 256, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
                  0xcc, 0xf9, 0x06, 0x00, 0x00, 0x01, 0x00, 0x00,
                  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                  0xa0, 0xf9, 0x06, 0x00, 0x59, 0xe6, 0x07, 0x00,
                  0x00, 0xc4, 0x04, 0x01, 0x00, 0x80, 0x00, 0x00,
                  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                  0xb0, 0xf9, 0x06, 0x00, 0x00, 0x80, 0x00, 0x00,
                  0x94, 0xf9, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00); 

	
 send(socket:soc, data:req);
 r = smb_recv(socket:soc, length:65535);
 if(strlen(r) < 80)return(NULL);

 len = ord(r[60+24]);
 if (!len)
   break;

 name = "";
 for (i=0;i<len;i = i+2)
    name += r[60+43+i+1];

 if (!ord(r[60+43+len+2])) len+=2;

 dlen = ord(r[60+43+len+21]);

 data = "";
 for (i=0;i<dlen;i = i+2)
    data += r[60+43+len+24+i+1];

 list[j*2] = name;
 list[j*2+1] = data;
 }

 return list;
}
#---------------------------------------------------------------------#
# RegOpenKey()							      #
#---------------------------------------------------------------------#
		 
function registry_get_key(soc, uid, tid, pipe, key, reply, write)
{
 local_var _na_start, i, error, access_mask;

 key_len = strlen(key) + 1;
 key_len_hi = key_len / 256;
 key_len_lo = key_len % 256;
 
 
 
 tid_low = tid % 256;
 tid_high = tid / 256;
 uid_low = uid % 256;
 uid_high = uid / 256;
 pipe_low = pipe % 256;
 pipe_high = pipe / 256;
 uc = unicode(data:key);

 if ( write ) access_mask = raw_string(0x19, 0x00, 0x02, 0x02);
 else access_mask = raw_string(0x19, 0x00, 0x02, 0x00);
 
 uc += access_mask;
 len = 148 + strlen(uc);
 
 len_hi = len / 256;
 len_lo = len % 256;
 
 
 z = 40 + strlen(uc);
 z_lo = z % 256;
 z_hi = z / 256;
 
 y = 81 + strlen(uc);
 y_lo = y % 256;
 y_hi = y / 256;
 
 x = 64 + strlen(uc);
 x_lo = x % 256;
 x_hi = x / 256;
 
 if(strlen(reply) < 17)exit(0);
 magic1 = raw_string(ord(reply[16]), ord(reply[17]));
 
 req = raw_string(0x00, 0x00,
 		  len_hi, len_lo, 0xFF, 0x53, 0x4D, 0x42, 0x25, 0x00,
		  0x00, 0x00, 0x00, 0x18, 0x03, 0x80)
		  +
		  magic1 +
		 raw_string(
		  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
		  0x00, 0x00,tid_low, tid_high, 0x00, 0x28, uid_low, uid_high,
		  g_mlo, g_mhi, 0x10, 0x00, 0x00, x_lo, x_hi, 0x00,
		  0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00,
		  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x54,
		  0x00, x_lo, x_hi, 0x54, 0x00, 0x02, 0x00, 0x26,
		  0x00, pipe_low, pipe_high, y_lo, y_hi, 0x00, 0x5C, 0x00,
		  0x50, 0x00, 0x49, 0x00, 0x50, 0x00, 0x45, 0x00,
		  0x5C, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x05, 0x00,
		  0x00, 0x03, 0x10, 0x00, 0x00, 0x00, x_lo, x_hi,
		  0x00, 0x00, 0x02, 0x00, 0x00, 0x00, z_lo, z_hi,
		  0x00, 0x00, 0x00, 0x00, 0x0F, 0x00);
		  
 magic = raw_string(ord(reply[84]));
 for(i=1;i<20;i=i+1)
 {
  magic = magic + raw_string(ord(reply[84+i]));
 }

 x = strlen(key) + strlen(key) + 2;
 x_lo = x % 256;
 x_hi = x / 256;
 
 req = req + magic + raw_string(x_lo, x_hi, 0x0A, 0x02, 0x00, 0xEC,
 		0xFD, 0x7F, 0x05, 0x01, 0x00, 0x00, 0x00, 0x00,
		0x00, 0x00, key_len_lo, key_len_hi, 0x00, 0x00) +
		uc;
		  

 send(socket:soc, data:req);
 r = smb_recv(socket:soc, length:4096);
 if(strlen(r) < 10)return(FALSE);
 
 len = ord(r[2])*256;
 len = len + ord(r[3]);
 if(len < 100)return(FALSE);

  # pull the last 4 bytes off the end
 _na_start = (strlen(r) - 4);
 for (_na_cnt = 0; _na_cnt < 4; _na_cnt++)
     _na_data = _na_data + r[_na_start + _na_cnt];

 # access denied, returned by Windows XP+
 if (_na_data == raw_string(0x05,0x00,0x00,0x00) || _na_data == raw_string(0x02, 0x00, 0x00, 0x00))
    return(FALSE);

 if(ord(r[9])==0)return(r);
 else return(FALSE);
}



#------------------------------------------------------------------#
# Return TRUE if someone else than the admin group, the owner      #
# and the local system can modify the key                          #
#------------------------------------------------------------------#

function registry_key_writeable_by_non_admin(security_descriptor)
{
 local_var r, num_aces, size, start, s, i, mask, z, id_auth, num_auth, sub_auth, k, n, sid;
 local_var WRITE, ADMIN_SID, LOCAL_SYSTEM_SID, CREATOR_OWNER_SID; 
 
 
  if(isnull(security_descriptor))
  	return(NULL);
	
  # write mask
 WRITE = 0x00010000 | 0x00040000 | 0x00080000 | 0x00000002 | 0x000004;

 # sids - written the nessus way

 ADMIN_SID = "1-000005-32-544";
 LOCAL_SYSTEM_SID = "1-000005-18";
 CREATOR_OWNER_SID = "1-000003-0";


 r = security_descriptor;
 num_aces = 0;
 num_aces = ord(r[135]);
 num_aces = ord(r[134])+ num_aces*256;
 num_aces = ord(r[133])+ num_aces*256;
 num_aces = ord(r[132])+ num_aces*256;
 start = 137;
 
 size = 0;
 s = start;

 for(i=0;i<num_aces;i=i+1)
 {
  z = ord(r[s+2]);
  z = ord(r[s+1])+z*256;
  mask = ord(r[s+6]);
  mask = ord(r[s+5])+mask*256;
  mask = ord(r[s+4])+mask*256;
  mask = ord(r[s+3])+mask*256;
  
  id_auth = ord(r[s+14]);
  id_auth = string(ord(r[s+13]), id_auth);
  id_auth = string(ord(r[s+12]), id_auth);
  id_auth = string(ord(r[s+11]), id_auth);
  id_auth = string(ord(r[s+10]), id_auth);
  id_auth = string(ord(r[s+9]), id_auth);
  
  num_auths = ord(r[s+8]);
  sub_auths = "";
  k = 15;
  for(c = 0;c < num_auths; c = c+1)
  {
  n = ord(r[s+k+3]);
  n = ord(r[s+k+2])+n*256;
  n = ord(r[s+k+1])+n*256;
  n = ord(r[s+k])+n*256;
  k = k + 4;
  sub_auths = string(sub_auths,"-",n);
  }
  
  sid = string(ord(r[s+7]), "-", id_auth, sub_auths);
  # display("sid = ", sid, "\n");
  if(mask & WRITE){