Nmap Development mailing list archives

Re: [NSE] Shodan exploits database library (and demo script)


From: Gutek <ange.gutek () gmail com>
Date: Sun, 12 Dec 2010 12:19:29 +0100


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Just an update. As promised, I've started working from scratch on a real
exploits search script.
I don't attach any code by now because "as-it" it's still a real
shameful mess...however, I can obtain encouraging results so far :

80/tcp open  http    syn-ack Apache httpd 2.0.46 ((Red Hat))
| demo: Found 2 existing exploits
| On multiple, Apache <= 2.0.49 Arbitrary Long HTTP Headers Denial of
Service
|_On multiple, Apache <= 2.0.52 HTTP GET request Denial of Service Exploit

As said before, the hard part is that there is absolutely no standard in
the way the exploits descriptions are published : both speaking about
their product/vendor  name design, and their vulnerable versions range
(<= x.y.z, x.y.z to|- a.b.c, etc.).
A lot of smart string parsing and a little mathematics in vue !
David's function (http://seclists.org/nmap-dev/2010/q2/566) to
canonicalize names will help with product parsing, and I'm working on
another function to numerize and compare versions by computing a unique
serial number from the x.y.z notation:

function numerize(versionnumber) -- simplified, for this mail
    local t = stdnse.strsplit("%.", versionnumber)
    local index,serial = 0,0
    for i,k in ipairs(t) do
       index = k/i
       serial = serial+index
    end
    return serial
end

This gives something like this (example from one of the dozen exploits
matching "apache"):
NSE: [EXPLOIT VERSION]
2.0.52                                                                                                  
 
NSE: [NUMERIZE]  i=1
k=2(2)                                                                                
 
NSE: [NUMERIZE]  i=2
k=0(0)                                                                                
 
NSE: [NUMERIZE]  i=3
k=52(17.333333333333)                                                                 
 
NSE: [NUMERIZE] serial=19.333333333333

Now, if we have a detected version of 2.0.46, its serial (computed from
this function) would be 17.33.
So if the exploit's description says " <= 2.0.52", then we have target
version(17.33) IS_PRIOR_TO exploit version(19.33)...and a match.

Have a nice day,

A.G.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAk0Er8EACgkQ3aDTTO0ha7hfHwCfYCsHLgaAK3DOTofe3bFdQ1Pk
j50AmgNzuLBkh3vgqq+pSopU5kaz7jLJ
=6nDc
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/


Current thread: