NSE Script For MS06-040?

[Fyodor <fyodor () insecure org>]

The latest critical Windows flaw, disclosed in MS06-040, has garnered
significant attention.  Here is the CVE, Bugtraq, and MS bulletin for
this Server service CanonicalizePathName() overflow:

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3439
http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx
http://www.securityfocus.com/bid/19409

eEye has released a stand alone scanner (limited to 16 or 256 IPs) here:

http://www.eeye.com/html/resources/downloads/audits/NetApi.html

And Nessus has a NASL script, but it is only available to paying customers until next week:

http://www.nessus.org/plugins/index.php?view=single&id=22194

And the Metasploit project has a working exploit for this:

http://metasploit.com/projects/Framework/exploits.html#netapi_ms06_040

Anyone want to create and post an NSE script (using Diman's latest NSE
release) to detect this bug?  It would be very interesting to compare
speed, reliability, etc. between Nmap, Nessus, and eEye scanner
looking just for this vulnerability.  And of course it would likely
help the many people on this list who want to ensure that all of their
Windows machines are properly patched.

The easiest approach is to take on of the other scanners above and
simply copy the probes and mechanisms they use to determine
vulnerability.  Such a script would be useful for testing, but we
could never include it in Nmap for copyright reasons.  So it is best
if someone knows or can figure out enough MSRPC to construct their own
query for the bug.  Yours may very well be better anyway.  It is OK if
the vast majority of the query is the same as in these other scanners
as long as you didn't copy it directly from them -- some similarities
are essential to achieve the desired function.

Do we have any takers?  Who can write a working, tested script first?

Cheers,
-F



_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev