smb_suspicious_files.nasl

漏洞扫描源码,可以扫描linux,windows,交换机路由器

#
#  This script was written by David Maciejak <david dot maciejak at kyxar dot fr>
#  This script is released under the GNU GPL v2
#
# BHO X http://computercops.biz/clsid.php?type=5 update 27012005
#
#
# Tenable grants a special exception for this plugin to use the library 
# 'smb_func.inc'. This exception does not apply to any modified version of 
# this plugin.
#
# kst-depend-smb

if(description)
{
 script_id(80042);
 script_version("$Revision: 1.9 $");

 name["english"] = "Potentially unwanted software";

 script_name(english:name["english"]);
 
 desc["english"] = "
This script checks for the presence of files and programs which 
might have been installed without the consent of the user of the
remote host.

Verify each of the applications found to see if they are compliant
with your organization's security policy. 
	
Solution : See the URLs which will appear in the report
Risk factor : High";


 script_description(english:desc["english"]);
 
 summary["english"] = "Checks for the presence of differents dll on the remote host";

 script_summary(english:summary["english"]);
 
 script_category(ACT_GATHER_INFO);
 
 script_copyright(english:"This script is Copyright (C) 2005 David Maciejak and Tenable Network Security");
 family["english"] = "Windows";
 script_family(english:family["english"]);
 
 script_dependencies("smb_hotfixes.nasl");
 script_require_keys("SMB/Registry/Enumerated");
 script_require_ports(139, 445);
 exit(0);
}


include("smb_func.inc");
include("smb_hotfixes.inc");
if ( get_kb_item("SMB/samba") ) exit(0);

global_var handle, name, url, key, exp, items;


port = kb_smb_transport();
if(!port)exit(0);

if(!get_port_state(port))return(FALSE);
login = kb_smb_login();
pass  = kb_smb_password();
domain = kb_smb_domain();

soc = open_sock_tcp(port);
if(!soc)exit(0);

session_init(socket:soc, hostname:kb_smb_name());
ret = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if ( ret != 1 ) exit(0);

handle = RegConnectRegistry(hkey:HKEY_CLASS_ROOT);
if ( isnull(handle) ) exit(0);


function check_reg(name, url, key, item, exp)
{
  local_var key_h, value, sz, report;


  key_h = RegOpenKey(handle:handle, key:key, mode:MAXIMUM_ALLOWED);
  if( ! isnull(key_h) )
  {
    value = RegQueryValue(handle:key_h, item:item);
    RegCloseKey(handle:key_h);
    if ( ! isnull(value) ) sz = value[1]; 
    else return 0;
  }
  else return 0;
  
 if(exp == NULL || tolower(exp) >< tolower(sz))
 {
  report = string(
"'", name, "' is installed on the remote host.\n",
"Make sure that the user of the remote host intended to install
this software and that its use matches your corporate security
policy.\n\n",
"Solution : ", url, "\n",
"Risk factor : High");
 
  security_hole(port:kb_smb_transport(), data:report);
 }
}

i = 0;

########################################################################

function fill_names()
{
 local_var files, n, i, j;

 name = make_list();
 url  = make_list();
 key  = make_list();
 items  = make_list();
 exp = make_list();
files = split(keep:FALSE, _FCT_ANON_ARGS[0]);

n = max_index(files);
i = 0;
for ( j = 0 ;  j < n ;  i ++ )
{
 if ( !(files[j] =~ "^NAME" &&
      files[j+1] =~ "^URL" &&
      files[j+2] =~ "^KEY" &&
      files[j+3] =~ "^ITEM" &&
      files[j+4] =~ "^EXP") )
	{
	display("Error at line ", j,"\n");
	break;
	}
  name[i]	= files[j++] - "NAME=";
  url[i]	= files[j++] - "URL=";
  key[i]	= files[j++] - "KEY=";
  items[i] = files[j++] - "ITEM=";
  exp[i]   = files[j++] - "EXP=";
 }
}





##################################################


RegCloseKey(handle:handle);


rootfile = hotfix_get_systemroot();
if ( ! rootfile ) exit(0);

NetUseDel(close:FALSE);
share =  ereg_replace(pattern:"^([A-Za-z]):.*", replace:"\1$", string:rootfile); 
r = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if ( r != 1 )
{
 NetUseDel();
 exit(1);
}



fill_names("NAME=Commonname toolbar
URL=http://www.doxdesk.com/parasite/CommonName.html
KEY=CLSID\{00000000-0000-0000-0000-000000000000}\InprocServer32
ITEM=
EXP=CnbarIE.dll
NAME=CoolWebSearch parasite variant
URL=http://www.richardthelionhearted.com/~merijn/cwschronicles.html
KEY=CLSID\{00000000-0000-0000-0000-000000000000}\InprocServer32
ITEM=
EXP=msxmlpp.dll
NAME=AutoSearch
URL=http://www.doxdesk.com/parasite/AutoSearch.html
KEY=CLSID\{00000000-0000-0000-0000-000000000001}\InprocServer32
ITEM=
EXP=safesearch.dll
NAME=CoolWebSearch parasite variant
URL=http://www.richardthelionhearted.com/~merijn/cwschronicles.html
KEY=CLSID\{00000000-0000-0000-0000-000000000001}\InprocServer32
ITEM=
EXP=msxmlfilt.dll
NAME=ClearSearch
URL=http://doxdesk.com/parasite/ClearSearch.html
KEY=CLSID\{00000000-0000-0000-0000-000000000221}\InprocServer32
ITEM=
EXP=CSIE.DLL
NAME=ClearSearch
URL=http://doxdesk.com/parasite/ClearSearch.html
KEY=CLSID\{00000000-0000-0000-0000-000000000240}\InprocServer32
ITEM=
EXP=IE_ClrSch.dll
NAME=ClearSearch
URL=http://doxdesk.com/parasite/ClearSearch.html
KEY=CLSID\{00000000-0000-0000-0000-000000002230}\InprocServer32
ITEM=
EXP=Csbb.dll
NAME=LZIO.com adware
URL=http://www.spywareguide.com/product_show.php?id=853
KEY=CLSID\{00000000-0000-0000-8835-3EFF76BF2657}\InprocServer32
ITEM=
EXP=kw3eef76.dll
NAME=LZIO.com adware
URL=http://www.spywareguide.com/product_show.php?id=853
KEY=CLSID\{00000000-0000-0000-BFA1-D7EE6696B865}\InprocServer32
ITEM=
EXP=icdd7ee6.dll
NAME=LZIO.com adware
URL=http://www.spywareguide.com/product_show.php?id=853
KEY=CLSID\{00000000-0000-41a3-98CF-00000000168B}\InprocServer32
ITEM=
EXP=wm41a398.dll
NAME=LZIO.com adware
URL=http://www.spywareguide.com/product_show.php?id=853
KEY=CLSID\{00000000-0000-47c5-A90F-2CDE8F7638DB}\InprocServer32
ITEM=
EXP=iel2cde8.dll
NAME=TX 4 BrowserAd adware
URL=
KEY=CLSID\{00000000-0000-5DFC-5652-1705043F6518}\InprocServer32
ITEM=
EXP=audiosrv32.dll
NAME=TX 4 BrowserAd adware
URL=
KEY=CLSID\{00000000-0000-7EBF-57C6-0BAE047EA682}\InprocServer32
ITEM=
EXP=autodisc32.dll
NAME=TX 4 BrowserAd adware
URL=
KEY=CLSID\{00000000-0001-0345-2280-0287F27A63EE}\InprocServer32
ITEM=
EXP=Browserad.dll
NAME=TX 4 BrowserAd adware
URL=
KEY=CLSID\{00000000-0001-1DBE-075A-39EC04BD88AF}\InprocServer32
ITEM=
EXP=Avicap32.dll
NAME=TX 4 BrowserAd adware
URL=
KEY=CLSID\{00000000-0001-F7A6-1F38-0204019E355E}\InprocServer32
ITEM=
EXP=Asferror32.dll
NAME=TX 4 BrowserAd adware
URL=
KEY=CLSID\{00000000-0002-53D4-0622-35EA0235778E}\InprocServer32
ITEM=
EXP=Ati2dvaa32.dll
NAME=TX 4 BrowserAd adware
URL=
KEY=CLSID\{00000000-0008-D357-0798-004401965D4A}\InprocServer32
ITEM=
EXP=apphelp32.dll
NAME=TX 4 BrowserAd adware
URL=
KEY=CLSID\{00000000-0009-1C42-7D61-6CFF050894A7}\InprocServer32
ITEM=
EXP=avisynthEx32.dll
NAME=TX 4 BrowserAd adware
URL=
KEY=CLSID\{00000000-0015-BD9C-263A-493001BA0C6C}\InprocServer32
ITEM=
EXP=asycfilt32.dll
NAME=TX 4 BrowserAd adware
URL=
KEY=CLSID\{00000000-002B-EFE6-6B08-560C01922D3B}\InprocServer32
ITEM=
EXP=Apcups32.dll
NAME=TX 4 BrowserAd adware
URL=
KEY=CLSID\{00000000-0033-C1AC-0E62-0C1F0537605D}\InprocServer32
ITEM=
EXP=aviwrap32.dll
NAME=TX 4 BrowserAd adware
URL=
KEY=CLSID\{00000000-008C-1E65-6AA6-3A270279F027}\InprocServer32
ITEM=
EXP=Ati2dvag32.dll
NAME=TX 4 BrowserAd adware
URL=
KEY=CLSID\{00000000-00FA-71ED-4ABA-348801BAA0A9}\InprocServer32
ITEM=
EXP=Athprxy32.dll
NAME=TX 4 BrowserAd adware
URL=
KEY=CLSID\{00000000-08C8-8E68-587B-61F804EE6164}\InprocServer32
ITEM=
EXP=avisynth32.dll
NAME=TX 4 BrowserAd adware
URL=
KEY=CLSID\{00000000-0C95-B1F8-547A-405204D6961A}\InprocServer32
ITEM=
EXP=avifile32.dll
NAME=LZIO.com adware
URL=http://www.spywareguide.com/product_show.php?id=853
KEY=CLSID\{00000000-10D6-4e5f-8F7F-29B32C1C0FC4}\InprocServer32
ITEM=
EXP=icddefff.dll
NAME=TX 4 BrowserAd adware
URL=
KEY=CLSID\{00000000-1530-70F0-6420-4C2701B37263}\InprocServer32
ITEM=
EXP=asfsipc32.dll
NAME=LZIO.com adware
URL=http://www.spywareguide.com/product_show.php?id=853
KEY=CLSID\{00000000-167B-41bc-95FF-86A07B14712C}\InprocServer32
ITEM=
EXP=he3bbcff.dll
NAME=LZIO.com adware
URL=http://www.spywareguide.com/product_show.php?id=853
KEY=CLSID\{00000000-2565-4c5b-A455-A74C8A2247AB}\InprocServer32
ITEM=
EXP=wmcbaaca.dll
NAME=TX 4 BrowserAd adware
URL=
KEY=CLSID\{00000000-387E-9D50-0079-1744044CB22A}\InprocServer32
ITEM=
EXP=authz32.dll
NAME=VX2 Respondmiter, Blackstone Transponder
URL=http://www.doxdesk.com/parasite/Transponder.html
KEY=CLSID\{00000000-5eb9-11d5-9d45-009027c14662}\InprocServer32
ITEM=
EXP=ehelper.dll
NAME=LZIO.com adware
URL=http://www.spywareguide.com/product_show.php?id=853
KEY=CLSID\{00000000-64C4-4a64-9767-895AB4921E41}\InprocServer32
ITEM=
EXP=ielcaabe.dll
NAME=iMesh
URL=http://www.spyany.com/program/article_spw_rm_IMesh.html
KEY=CLSID\{00000000-6CB0-410C-8C3D-8FA8D2011D0A}\InprocServer32
ITEM=
EXP=iMeshBHO.dll
NAME=Transponder parasite variant
URL=http://www.doxdesk.com/parasite/Transponder.html
KEY=CLSID\{00000000-C1EC-0345-6EC2-4D0300000000}\InprocServer32
ITEM=
EXP=ZServ.dll
NAME=AdBreak
URL=http://www.doxdesk.com/parasite/AdBreak.html 
KEY=CLSID\{00000000-D9E3-4BC6-A0BD-3D0CA4BE5271}\InprocServer32
ITEM=
EXP=Fhfmm.dll
NAME=Transponder variant
URL=http://www.webhelper4u.com/transponder/btgrab.html
KEY=CLSID\{00000000-F09C-02B4-6EC2-AD0300000000}\InprocServer32
ITEM=
EXP=BTGrab.dll
NAME=DyFuCa/Internet Optimizer
URL=http://www.doxdesk.com/parasite/InternetOptimizer.html
KEY=CLSID\{00000010-6F7D-442C-93E3-4A4827C2E4C8}\InprocServer32
ITEM=
EXP=nem219.dll
NAME=Adware.Ramdud
URL=
KEY=CLSID\{00000015-A527-34E7-25C2-03A4E313B2E9}\InprocServer32
ITEM=
EXP=winsrvs_1.dll
NAME=aBetterinternet/Transponder variant
URL=http://doxdesk.com/parasite/Transponder.html 
KEY=CLSID\{00000026-8735-428D-B81F-DD098223B25F}\InprocServer32
ITEM=
EXP=speer.dll
NAME=aBetterinternet/Transponder
URL=http://doxdesk.com/parasite/Transponder.html
KEY=CLSID\{00000049-8F91-4D9C-9573-F016E7626484}\InprocServer32
ITEM=
EXP=ceres.dll
NAME=FavoriteMan
URL=http://www.doxdesk.com/parasite/FavoriteMan.html 
KEY=CLSID\{000000DA-0786-4633-87C6-1AA7A4429EF1}\InprocServer32
ITEM=
EXP=emesx.dll
NAME=FavoriteMan/FOne
URL=http://www.doxdesk.com/parasite/FavoriteMan.html 
KEY=CLSID\{000000F1-34E3-4633-87C6-1AA7A44296DA}\InprocServer32
ITEM=
EXP=FOne.dll
NAME=SmartBrowser
URL=http://www.doxdesk.com/parasite/SmartBrowser.html
KEY=CLSID\{00000185-B716-11D3-92F3-00D0B709A7D8}\InprocServer32
ITEM=
EXP=BHO.0.1.0
NAME=SmartBrowser
URL=http://www.doxdesk.com/parasite/SmartBrowser.html
KEY=CLSID\{00000185-C745-43D2-44F1-01A1C789C738}\InprocServer32
ITEM=
EXP=BHO.0.1.0
NAME=Transponder parasite variant
URL=http://webhelper4u.com/transponders/freephone.html
KEY=CLSID\{00000250-0320-4DD4-BE4F-7566D2314352}\InprocServer32
ITEM=
EXP=VoiceIP.dll
NAME=Transponder
URL=http://www.doxdesk.com/parasite/Transponder.html 
KEY=CLSID\{0000026A-8230-4DD4-BE4F-6889D1E74167}\InprocServer32
ITEM=
EXP=Tps108.dll
NAME=Transponder
URL=http://www.doxdesk.com/parasite/Transponder.html 
KEY=CLSID\{00000273-8230-4DD4-BE4F-6889D1E74167}\InprocServer32
ITEM=
EXP=host.dll
NAME=IPInsight
URL=http://www.doxdesk.com/parasite/IPInsight.html 
KEY=CLSID\{000004CC-E4FF-4F2C-BC30-DBEF0B983BC9}\InprocServer32
ITEM=
EXP=Ipinsigt.dll
NAME=VX2 Transponder variant