Hi, Did this plugin make it to CVS? I can't find it in my plugins dir. Paul Haroon Meer wrote: >Hi.. > >[This has been around in perl scripts for a while now..] > >IIS throws a different (predictable) Content-Length value based on its >applied Service pack level. > >The attached .nasl makes a guess @ remote IIS sp-version based on the >returned Content Length. (This only tested on English versions..) >(Thanks muchly to rob@private for most of the signatures / initial >.pl) > >/mh > >====================================================================== >Haroon Meer MH >SensePost Information Security +27 83786 6637 >PGP : http://www.sensepost.com/pgp/haroon.txt haroon@private >====================================================================== > > > > >------------------------------------------------------------------------ > >if(description) >{ > script_id(121212); > name["english"] = "IIS Service Pack - 404"; > script_name(english:name["english"]); > > desc["english"] = " >The Patch level (Service Pack) of the remote IIS server appears to be lower than >the current service pack level for this service. This test makes assumptions >of the remote patch level based on the returned Content-Length of its 404 error message. >As such, the test can not be totally reliable and should be confirmed. > > >Solution: Ensure that the server is running the latest stable Service Pack (http://www.microsoft.com/security) >Risk factor : High"; > > script_description(english:desc["english"]); > > summary["english"] = "IIS Service Pack Check"; > > script_summary(english:summary["english"]); > > script_category(ACT_GATHER_INFO); > > script_copyright(english:"This script is Copyright (C) 2003 SensePost"); > > family["english"] = "CGI abuses"; > script_family(english:family["english"]); > script_dependencie("find_service.nes"); > script_require_ports("Services/www", 80); > exit(0); >} > ># Check starts here > >r1 = string("GET /sensepost_2003 HTTP/1.0\r\n\r\n"); > >port = get_kb_item("Services/www"); >if(!port)port = 80; >if(! get_port_state(port)) exit(0); > >soc = http_open_socket(port); >if(! soc) exit(0); > >send(socket:soc, data:r1); >r = recv(socket:soc, length:1024); >close(soc); > > > if(!soc) return NULL; > > v4 = egrep(pattern:"Microsoft-IIS/4.0", string:r); > v5 = egrep(pattern:"Microsoft-IIS/5.0", string:r); > cl = egrep(pattern:"Content-Length", string:r); > ver = string("Remote IIS Service pack guess : "); > >if(v4) >{ > display("IIS4\n"); > if ("102" >< cl) > { > ver = ver + string("IIS 4 - Sp0\n"); > security_hole(port); > security_hole(port:port, data:ver); > exit(0); > } > > if ("461" >< cl) > display("IIS 4 - Sp6\n"); > ver = ver + string("Microsoft IIS 4 - SP6\n"); > security_note(port:port, data:ver); >} > > >if(v5) >{ > display("IIS5\n"); > > if("3243" >< cl) > ver = ver + string("IIS 5 - Sp0 or Sp1\n"); > if("3252" >< cl) > ver = ver + string("IIS 5 - Sp2 or Sp2srp1\n"); > if("4040" >< cl) > ver = ver + string("IIS 5 - Sp3\n"); > > if(("3243" >< cl) || ("3252" >< cl) || ("4040" >< cl)){ > security_hole(port:port); > security_hole(port:port, data:ver); > } > > if("111" >< cl) > { > display("IIS 5 - Sp4\n"); > ver = ver + string("Microsoft IIS 5 - SP4\n"); > security_note(port:port, data:ver); > } >} > > > -- Paul Johnston Internet Security Specialist Westpoint Limited Albion Wharf, 19 Albion Street, Manchester, M1 5LN England Tel: +44 (0)161 237 1028 Fax: +44 (0)161 237 1031 email: paul@private web: www.westpoint.ltd.uk
This archive was generated by hypermail 2b30 : Thu Oct 09 2003 - 08:44:26 PDT