Nmap Development mailing list archives
Re: [NSE] Shodan exploits database library (and demo script)
From: Gutek <ange.gutek () gmail com>
Date: Sun, 12 Dec 2010 12:19:29 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Just an update. As promised, I've started working from scratch on a real exploits search script. I don't attach any code by now because "as-it" it's still a real shameful mess...however, I can obtain encouraging results so far : 80/tcp open http syn-ack Apache httpd 2.0.46 ((Red Hat)) | demo: Found 2 existing exploits | On multiple, Apache <= 2.0.49 Arbitrary Long HTTP Headers Denial of Service |_On multiple, Apache <= 2.0.52 HTTP GET request Denial of Service Exploit As said before, the hard part is that there is absolutely no standard in the way the exploits descriptions are published : both speaking about their product/vendor name design, and their vulnerable versions range (<= x.y.z, x.y.z to|- a.b.c, etc.). A lot of smart string parsing and a little mathematics in vue ! David's function (http://seclists.org/nmap-dev/2010/q2/566) to canonicalize names will help with product parsing, and I'm working on another function to numerize and compare versions by computing a unique serial number from the x.y.z notation: function numerize(versionnumber) -- simplified, for this mail local t = stdnse.strsplit("%.", versionnumber) local index,serial = 0,0 for i,k in ipairs(t) do index = k/i serial = serial+index end return serial end This gives something like this (example from one of the dozen exploits matching "apache"): NSE: [EXPLOIT VERSION] 2.0.52 NSE: [NUMERIZE] i=1 k=2(2) NSE: [NUMERIZE] i=2 k=0(0) NSE: [NUMERIZE] i=3 k=52(17.333333333333) NSE: [NUMERIZE] serial=19.333333333333 Now, if we have a detected version of 2.0.46, its serial (computed from this function) would be 17.33. So if the exploit's description says " <= 2.0.52", then we have target version(17.33) IS_PRIOR_TO exploit version(19.33)...and a match. Have a nice day, A.G. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk0Er8EACgkQ3aDTTO0ha7hfHwCfYCsHLgaAK3DOTofe3bFdQ1Pk j50AmgNzuLBkh3vgqq+pSopU5kaz7jLJ =6nDc -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Shodan exploits database library (and demo script) Gutek (Nov 12)
- Re: [NSE] Shodan exploits database library (and demo script) David Fifield (Nov 22)
- Re: [NSE] Shodan exploits database library (and demo script) Gutek (Nov 22)
- Re: [NSE] Shodan exploits database library (and demo script) David Fifield (Nov 29)
- Re: [NSE] Shodan exploits database library (and demo script) Gutek (Nov 30)
- Re: [NSE] Shodan exploits database library (and demo script) Gutek (Dec 12)
- Re: [NSE] Shodan exploits database library (and demo script) Fyodor (Dec 12)
- Re: [NSE] Shodan exploits database library (and demo script) Gutek (Dec 12)
- RE: [NSE] Shodan exploits database library (and demo script) Rob Nicholls (Dec 13)
- Re: [NSE] Shodan exploits database library (and demo script) Fyodor (Dec 13)
- Re: [NSE] Shodan exploits database library (and demo script) Gutek (Nov 22)
- Re: [NSE] Shodan exploits database library (and demo script) David Fifield (Nov 22)
