smb_internals.inc

漏洞扫描源码,可以扫描linux,windows,交换机路由器

}


function session_add_flags (flag)
{
 Session[10] = Session[10] | flag;
}


function session_get_flags2 ()
{
 return Session[11];
}


function session_add_flags2 (flag)
{
 Session[11] = Session[11] | flag;
}


function session_del_flags2 (flag)
{
 Session[11] = Session[11] ^ flag;
}

function session_get_hostname ()
{
 return Session[12];
}


function session_set_hostname (hostname)
{
 Session[12] = hostname;
}


function session_is_authenticated ()
{
 return Session[13];
}


function session_set_authenticated ()
{
 Session[13] = 1;
}


function session_is_guest ()
{
 if (Session[14] == 1)
   return 1;
 else
   return 0;
}


function session_set_guest (guest)
{
 Session[14] = guest;
}


function session_get_cid ()
{
 local_var cid;

 cid = Session[15];
 Session[15] = cid + 1;

 return cid;
}


function session_set_server_max_size (size)
{
 Session[16] = size;
}


function session_get_server_max_size ()
{
 return Session[16];
}


function session_set_host_info (domain, os, lan)
{
 local_var tmp;

 Session[17] = os;
 Session[18] = lan;
 Session[19] = domain;
}


function session_set_addrlist (addrlist)
{
 Session[20] = addrlist;
}


function session_get_addrlist ()
{
 return Session[20];
}


function session_get_errorcode ()
{
 return Session[21];
}


function session_set_errorcode (code)
{
 Session[21] = code;
}



#==================================================================#
# Section 3. Utilities                                             #
#==================================================================#

function hex2raw2(s)
{
 local_var i, j, ret, l;

 s = chomp(s);	# remove trailing blanks, CR, LF...
 l = strlen(s);
 ret = NULL;
 for(i=0;i<l;i+=2)
 {
  if(ord(s[i]) >= ord("0") && ord(s[i]) <= ord("9"))
    j = int(s[i]);
  else
    j = int((ord(s[i]) - ord("a")) + 10);
  j *= 16;
  if(ord(s[i+1]) >= ord("0") && ord(s[i+1]) <= ord("9"))
    j += int(s[i+1]);
  else
    j += int((ord(s[i+1]) - ord("a")) + 10);
  ret += raw_string(j);
 }
 return ret;
}
						    

function inverse (data)
{
 local_var tmp, i, len;
 
 tmp = NULL;
 len = strlen(data);
 for (i=len-1; i >= 0; i--)
 {
  tmp += data[i];
 }

 return tmp;
}


function _hex (s)
{
 return inverse (data:hex2raw2(s:s));
}


function encode_uuid (uuid)
{
 local_var tmp, encoded, val;

 encoded = NULL;
 
 tmp = split (uuid, sep:"-", keep:FALSE);
 
 encoded = _hex(s:tmp[0]) +
           _hex(s:tmp[1]) +
	   _hex(s:tmp[2]) +
	   hex2raw2(s:tmp[3]) +
	   hex2raw2(s:tmp[4]);

 return encoded;
}


function decode_uuid (uuid)
{
 return hexstr(inverse(data:substr(uuid, 0, 3))) + "-" +
        hexstr(inverse(data:substr(uuid, 4, 5))) + "-" + 
        hexstr(inverse(data:substr(uuid, 6, 7))) + "-" +
        hexstr(substr(uuid, 8, 9)) + "-" +
        hexstr(substr(uuid, 10, 15));
}



function buffer_parameter (ref_id, size)
{
 return raw_dword (d:ref_id) + raw_dword (d:size);
}


function class_parameter (ref_id, name, size, _null)
{
 local_var tmp, len, uni, data;

 uni = session_is_unicode ();
 if (uni == 0)
   session_set_unicode (unicode:1);
 
 if (!isnull(_null) && (_null == FALSE))
   tmp = cstring (string:name, _null:1);
 else
   tmp = cstring (string:name);
 len = strlen (tmp);

 if ((len/2)%2 == 1)
   tmp += raw_word (w:0);

 if (!isnull (size))
   data = raw_word (w:len) + # length 
          raw_word (w:len);  # size
 else
   data = NULL;

 data += raw_dword (d:ref_id)     + # Referent ID
        raw_dword (d:len/2)      + # Max count
	raw_dword (d:0)          + # Offset
	raw_dword (d:len/2)      + # Actual Count
	tmp ;                      # name

 if (uni == 0)
   session_set_unicode (unicode:0); 
 return data;
}




function sid2string (sid)
{
 local_var ret, num, val, i;

 ret = NULL;
 if (strlen(sid) < 8)
   return NULL;

 val = get_byte (blob:sid, pos:0); 
 ret += string (val, "-");
 num = get_byte(blob:sid, pos:1);
 val = get_byte(blob:sid, pos:7);
 ret += string (val, "-");

 if (strlen(sid) < 8 + num*4)
   return NULL;

 for (i=0; i<num; i++)
 {
  val = get_dword (blob:sid, pos:8+i*4);
  ret += string (val,"-");
 }

 return substr (ret,0,strlen(ret)-2); 
}


function encode_int (i)
{
 local_var len, ret, j;

 len = strlen(i);
 ret = 0;

 for (j=0; j<len; j++)
   ret = ret * 10 + int(i[j]);
 
 return raw_dword (d:ret);
}


function encode_char (c)
{
 local_var ret;

 ret = encode_int (i:c);
 if (isnull(ret))
   return ret;

 return ret[0];
}

function string2sid (s)
{
 local_var ret, nums, len, i;

 nums = split (s, sep:"-", keep:FALSE);
 len = max_index (nums);
 if (len < 3)
   return NULL;

 ret = encode_char(c:nums[1]) + raw_string (len-3, 0,0,0,0,0) + encode_char(c:nums[2]);
 for (i=3; i<len; i++)
   ret += encode_int(i:nums[i]);

 return ret;
}


function parse_dacl (blob)
{
 local_var dacl, size, access_rights, sid, type, access, apply;

 if (strlen (blob) < 8)
   return NULL;

 dacl = NULL;

 access = get_byte (blob:blob, pos:0);
 apply = get_byte (blob:blob, pos:1);
 access_rights = get_dword (blob:blob, pos:4);
 size = get_word (blob:blob, pos:2); # size + 1 

 if (strlen(blob) != size)
   return NULL;

 sid = substr (blob, 8, size-1);

 dacl[0] = access_rights;
 dacl[1] = sid;
 dacl[2] = apply;
 dacl[3] = access; # deny or allow

 return dacl; 
}


function parse_pdacl (blob)
{
 local_var rev, size, nsid, i, pos, pdacl, length;

 if (strlen (blob) < 8)
   return NULL;

 rev = get_word (blob:blob, pos:0);
 size = get_word (blob:blob, pos:2);
 nsid = get_dword (blob:blob, pos:4);

 pos = 8;

 if (strlen (blob) < size)
   return NULL;

 pdacl = NULL;
 for (i=0; i<nsid; i++)
 {
  if (strlen(blob) < pos + 8)
    return NULL;

  length = get_word (blob:blob, pos:pos+2);
  if (strlen(blob) < pos+length)
    return NULL;

  pdacl[i] = substr (blob, pos, pos+length-1);  # length = real length + 1 ??
 
  pos += length;
 }

 return pdacl;
}


function parse_security_descriptor (blob)
{
 local_var rev, sbz1, sec_control, size, pos, security_descriptor;
 local_var psid_owner, psid_group, psid_sacl, psid_dacl;
 local_var sid_owner, sid_group, sacl, dacl, blo, pacl_sacl, pacl_dacl;

 sid_owner = sid_group = sacl = dacl = NULL;

 if (strlen (blob) < 20)
   return NULL;

 rev = get_byte (blob:blob, pos:0);
 sbz1 = get_byte (blob:blo, pos:1);
 sec_control = get_word (blob:blob, pos:2);

 psid_owner = get_dword (blob:blob, pos:4);
 psid_group = get_dword (blob:blob, pos:8);
 pacl_sacl = get_dword (blob:blob, pos:12);
 pacl_dacl = get_dword (blob:blob, pos:16);

 if (pacl_sacl != 0)
 {
  pos = pacl_sacl;
  if (strlen(blob) < pos + 4)
    return NULL;

  rev = get_word (blob:blob, pos:pos);
  size = get_word (blob:blob, pos:pos+2);

  if (strlen(blob) < pos + size)
    return NULL;

  sacl = substr (blob, pos, pos+size-1);
 }

 if (pacl_dacl != 0)
 {
  pos = pacl_dacl;
  if (strlen(blob) < pos + 4)
    return NULL;

  rev = get_word (blob:blob, pos:pos);
  size = get_word (blob:blob, pos:pos+2);

  if (strlen(blob) < pos + size)
    return NULL;

  dacl = substr (blob, pos, pos+size-1);
 }

 if (psid_owner != 0)
 {
  pos = psid_owner;
  sid_owner = get_sid (blob:blob, pos:pos);
  if (!sid_owner)
    return NULL;
 }
 
 if (psid_group != 0)
 {
  pos = psid_group;
  sid_group = get_sid (blob:blob, pos:pos);
  if (!sid_group)
    return NULL;
 }

 security_descriptor = NULL;
 security_descriptor[0] = sid_owner;
 security_descriptor[1] = sid_group;
 security_descriptor[2] = sacl;
 security_descriptor[3] = dacl;

 return security_descriptor;
}



function parse_lsalookupsid (data)
{
 local_var ret, len, pos;

 ret = NULL;
 ret [0] = get_dword (blob:data, pos:0);
 len = get_dword (blob:data, pos:4);
 ret [1] = substr (data, 8, 8+len-1);
 pos = len + 8;
 len = get_dword (blob:data, pos:pos);
 ret [2] = substr (data, pos+4, pos+4+len-1);

 return ret;
}


function get_sid (blob, pos)
{
 local_var count, len;

 if (strlen(blob) < pos + 8)
   return NULL;

 count = ord(blob[pos+1]);
 len = 8 + count*4;

 if (strlen(blob) < pos + len)
   return NULL;

 return substr (blob, pos, pos+len-1);
}



function class_name (name)
{
 local_var tmp, len, ret;

 if (isnull(name))
   return raw_dword (d:0);

 tmp = cstring (string:name);
 len  = strlen (tmp);

 if ((len%4) != 0)
   tmp += crap (data:raw_string(0), length:4-(len%4));

 if (session_is_unicode() == 1)
   len = len / 2;

 ret =  raw_dword (d:len)             + # length
        raw_dword (d:0)               + # offset
        raw_dword (d:len)             + # size
        tmp;                            # hostname

 return ret;
}



#==================================================================#
# Section 10. Old API wrapper                                      #
#==================================================================#


# This function MUST be redone                #
# we must check for local user (admin rights) #
#                   domain user (admin group) #

function registry_key_writeable_by_non_admin(security_descriptor)
{
 local_var pdacl, dacl, item, access_rights, sid;
 local_var ADMIN_SID, LOCAL_SYSTEM_SID, CREATOR_OWNER_SID;

 # Need to change this function
 return FALSE;

 pdacl = security_descriptor[3];
 pdacl = parse_pdacl (blob:pdacl);

 # sids - written the nessus way
 ADMIN_SID = "1-5-32-544";
 LOCAL_SYSTEM_SID = "1-5-18";
 CREATOR_OWNER_SID = "1-3-0";

 foreach item (pdacl)
 {
  dacl = parse_dacl (blob:item);
  access_rights = dacl[0];
  sid = sid2string (sid:dacl[1]);

  if ( (access_rights & WRITE_DAC)     ||
       (access_rights & WRITE_OWNER)   ||
       (access_rights & SYNCHRONIZE)   ||
       (access_rights & ACCESS_WRITE)  ||
       (access_rights & ACCESS_CREATE) ||
       (access_rights & GENERIC_WRITE) )
  {
   if((sid != ADMIN_SID) &&  
    (sid != LOCAL_SYSTEM_SID) && 
    (sid != CREATOR_OWNER_SID))
   {
    return(TRUE);
   }
  }
 }

 return FALSE;
}