Nmap Development mailing list archives

Status report #7 of 15

From: Dražen Popović <drazen.popovic () fer hr>
Date: Tue, 15 Jun 2010 02:27:17 +0200

Hi everyone.
This was somewhat a productive week.

Accomplishments:
      * Made a check for the MS07-029 vulnerability which targets the
        Dns Server RPC service.
      * Integrated both the MS06-025 check and the MS07-029 check into
        the smb-check-vulns.nse and merged it into the NMAp trunk
        (thanks David for saving me from the merge hell).

NOTE: Tested on Win2003 Standard with no SPs.
Example cmd: 

nmap -sS -p 445 --script="smb-check-vulns" --script-args="unsafe=1"
<host>

Example output:

Host script results:
| smb-check-vulns:  
|   Conficker: UNKNOWN; not Windows, or Windows with disabled browser
service (CLEAN); or Windows with crashed browser service (possibly
INFECTED).
| |  If you know the remote system is Windows, try rebooting it and
scanning
| |_ again. (Error NT_STATUS_OBJECT_NAME_NOT_FOUND)
|   regsvc DoS: NOT VULNERABLE
|   SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE
|   MS06-025: NO SERVICE (the Ras RPC service is inactive)
|_  MS07-029: VULNERABLE

NOTE: These vulnerabilities are more likely to be found on server boxes
as the vulnerable services are found running there more often than not
(NOT THE DEFAULT). Privileges needed to trigger the vulnerability are
similar in both MS06-026 and MS07-029 [1]...I tested with the Guest
account.

Every feedback is more than welcome of course.

Priorities:
      * Revise the "msrpctypes.lua" which handles all the NDR
        packing/unpacking. Check the packing/unpacking of all the NDR
        primitives using the MIDL test bench I've built. Document the
        issues found, trace the scripts that depend on it.
      * Choose another vulnerability to work on (it actually goes rather
        smoothly now once I've figured out the correct way to do it).
      * The semester is almost over, and there are few things left to
        take care of...so I must get on that ASAP.


References:
[0] "[NSE] Check for MS06-025 vulnerability in Microsoft RRAS service", http://seclists.org/nmap-dev/2010/q2/669 

Cheers,
Dražen.

-- 
Laboratory for Systems and Signals
Department of Electronic Systems and Information Processing
Faculty of Electrical Engineering and Computing
University of Zagreb
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Status Report #7 of 15 Luis MartinGarcia. (Jun 14)
- <Possible follow-ups>
- Status Report #7 of 15 ithilgore (Jun 14)
- Status report #7 of 15 Dražen Popović (Jun 14)
- status report #7 of 15 alexandru (Jun 14)
- Status Report #7 of 15 Djalal Harouni (Jun 15)