secpod_smb_func.inc

漏洞扫描源码,可以扫描linux,windows,交换机路由器

##############################################################################
#
#  SMB Functions
# 
#  Copyright: SecPod
#
#  Date Written: 2008/08/13
#
#  Revision: 1.1
#
#  Log: bchandra
#
#  Added a support to detect file version with space and coma. (By schandan).
#  2008/09/16: Updated with new functions. (bchandra)
#  ------------------------------------------------------------------------
#  This program was written by SecPod and is licensed under the GNU GPL 
#  license. Please refer to the below link for details,
#  http://www.gnu.org/licenses/gpl.html
#  This header contains information regarding licensing terms under the GPL, 
#  and information regarding obtaining source code from the Author. 
#  Consequently, pursuant to section 3(c) of the GPL, you must accompany the 
#  information found in this header with any distribution you make of this 
#  Program.
#  ------------------------------------------------------------------------
##############################################################################

###############################################################################
# GetVer(), bin_word(), bin_dword() are a derivative of smbcl_func.inc available
# in the OpenVAS repository
# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
#
# This script is released under the GNU GPLv2
###############################################################################


#
# Get File version or product version reading through a file. An 
# offset can be sent indicating the start location. By default
# file version is read, if product version is required, we can
# indicate verstr="prod"
#

function GetVersion(socket, uid, tid, fid, offset, verstr, debug)
{

  local_var fsize, data, i, offset, tmp, version, ver, vers, len, retVal;

  pattern = "F?i?l?e?V?e?r?s?i?o?n";
  if(verstr == "prod"){
    pattern = "P?r?o?d?u?c?t?V?e?r?s?i?o?n";
  }

  else if(verstr){
   pattern = verstr;
  }

  patlen = strlen(pattern);

  fsize = smb_get_file_size(socket:socket, uid:uid, tid:tid, fid:fid);

  if(isnull(offset))
  {
    if(fsize < 180224){
      offset = 0;
    }
    else{
      offset = fsize - 180224;
    }
  }

  if(offset < 0){
     offset = fsize + offset;
  }
 
  start = offset;

  if(start < 0 || start > fsize){
    start = fsize/2;
  }

  offset = start;
  chunk = 16384;

  for(i = 0; offset < fsize; i++)
  {
    tmp = ReadAndX(socket:socket, uid:uid, tid:tid, fid:fid, count:chunk, off:offset);
    if(tmp)
    {
      if(pattern == "build"){
        tmp = str_replace(find:raw_string(0), replace:"", string:tmp);
      }
      else
        tmp = str_replace(find:raw_string(0), replace:"?", string:tmp);

      data += tmp;
      version = strstr(data, pattern);
      if(version)
      {
        len = strlen(version);
        for(i = patlen; i < len; i++)
        {
          if((ord(version[i]) < ord("0") || ord(version[i]) > ord("9")) &&
             (version[i] != "." && version[i] != "," && version[i] != " " &&
              version[i] != "?"))
          {
            if(ver[strlen(ver)-1] == ".")
            {
              vers = split(ver, sep:".", keep:0);
              foreach item (vers){
                retVal += string("." + item);
              }
              retVal -= string(".");
                return(retVal);
            }
            return (ver);
          }
          else if(version[i] == "," || version[i] == "."){
            ver += ".";
          }
          else if(ver && version[i] == "?" && version[i+1] == "?"){
            return (ver);
          }
          else if(version[i] == " "||version[i] == "?"){
          }
          else{
            ver += version[i];
          }
        }
      }
      offset += chunk;
    }
  }
  return NULL;
}


global_var name, login, pass, domain, port;
 
name    =  kb_smb_name();
login   =  kb_smb_login();
pass    =  kb_smb_password();
domain  =  kb_smb_domain();
port    =  get_kb_item("SMB/transport");


########################################################################
# Enumerate registry values for a given key
# param:
#	key: REGISTRY_KEY
#
########################################################################

function registry_enum_values(key)
{
        if(!port){
                port = 445;
        }
 
        soc = open_sock_tcp(port);
        if(!soc){
                return FALSE;
        }
 
        r = smb_session_request(soc:soc, remote:name);
        if(!r)
        {
                close(soc);
                return FALSE;
        }
 
        prot = smb_neg_prot(soc:soc);
        if(!prot)
        {
                close(soc);
                return FALSE;
        }
 
        r = smb_session_setup(soc:soc, login:login, password:pass,
                              domain:domain, prot:prot);
        if(!r)
        {
                close(soc);
                return FALSE;
        }

        uid = session_extract_uid(reply:r);
        if(!uid)
        {
                close(soc);
                return FALSE;
        }
 
        r = smb_tconx(soc:soc, name:name, uid:uid, share:"IPC$");
        if(!r)
        {
                close(soc);
                return FALSE;
        }
 
        tid = tconx_extract_tid(reply:r);
        if(!tid)
        {
                close(soc);
                return FALSE;
        }
 
        r = smbntcreatex(soc:soc, uid:uid, tid:tid, name:"\winreg");
        if(!r)
        {
                close(soc);
                return FALSE;
        }
 
        pipe = smbntcreatex_extract_pipe(reply:r);
        if(!pipe)
        {
                close(soc);
                return FALSE;
        }
 
        r = pipe_accessible_registry(soc:soc, uid:uid, tid:tid, pipe:pipe);
        if(!r)
        {
                close(soc);
                return FALSE;
        }
 
        handle = registry_open_hklm(soc:soc, uid:uid, tid:tid, pipe:pipe);
        if(!handle)
        {
                close(soc);
                return FALSE;
        }
 
        r = registry_get_key(soc:soc, uid:uid, tid:tid, pipe:pipe, key:key,
                             reply:handle);
 
        if(!r)
        {
                close(soc);
                return FALSE;
        }
 
        list = registry_enum_value(soc:soc, uid:uid, tid:tid, pipe:pipe, reply:r);
        return(list);
}
 

##############################################################################
# Enumerate registry keys
# param:
#	key: REGISTRY_KEY
#
###############################################################################

function registry_enum_keys(key)
{
        if(!port){
                port = 445;
        }
 
        soc = open_sock_tcp(port);
        if(!soc) {
                return FALSE;
        }
 
        r = smb_session_request(soc:soc, remote:name);
        if(!r)
        {
                close(soc);
                return FALSE;
        }
 
        prot = smb_neg_prot(soc:soc);
        if(!prot)
        {
                close(soc);
                 return FALSE;
        }
 
        r = smb_session_setup(soc:soc, login:login, password:pass,
                                 domain:domain, prot:prot);
        if(!r)
        {
                close(soc);
                return FALSE;
        }

        uid = session_extract_uid(reply:r);
        if(!uid)
        {
                close(soc);
                return FALSE;
        }
 
        r = smb_tconx(soc:soc, name:name, uid:uid, share:"IPC$");
        if(!r)
        {
                close(soc);
                return FALSE;
        }
 
        tid = tconx_extract_tid(reply:r);
        if(!tid)
        {
                close(soc);
                 return FALSE;
        }
 
        r = smbntcreatex(soc:soc, uid:uid, tid:tid, name:"\winreg");
        if(!r)
        {
                close(soc);
                return FALSE;
        }
 
        pipe = smbntcreatex_extract_pipe(reply:r);
        if(!pipe)
        {
                close(soc);
                return FALSE;
        }
 
        r = pipe_accessible_registry(soc:soc, uid:uid, tid:tid, pipe:pipe);
        if(!r)
        {
                close(soc);
                return FALSE;
        }
 
        handle = registry_open_hklm(soc:soc, uid:uid, tid:tid, pipe:pipe);
        if(!handle)
        {
                close(soc);
                return FALSE;
        }
 
        r = registry_get_key(soc:soc, uid:uid, tid:tid, pipe:pipe, key:key,
                             reply:handle);
        if(!r)
        {
                close(soc);