Re: Remote IIS patch level detection.

From: Paul Johnston (paul@private)
Date: Thu Oct 09 2003 - 08:43:34 PDT

  • Next message: Renaud Deraison: "Re: Remote IIS patch level detection."

    Hi,
    
    Did this plugin make it to CVS? I can't find it in my plugins dir.
    
    Paul
    
    
    
    Haroon Meer wrote:
    
    >Hi..
    >
    >[This has been around in perl scripts for a while now..]
    >
    >IIS throws a different (predictable) Content-Length value based on its
    >applied Service pack level.
    >
    >The attached .nasl makes a guess @ remote IIS sp-version based on the
    >returned Content Length. (This only tested on English versions..)
    >(Thanks muchly to rob@private for most of the signatures / initial
    >.pl)
    >
    >/mh
    >
    >======================================================================
    >Haroon Meer                                                         MH
    >SensePost Information Security                          +27 83786 6637
    >PGP : http://www.sensepost.com/pgp/haroon.txt     haroon@private
    >======================================================================
    >
    >
    >  
    >
    >------------------------------------------------------------------------
    >
    >if(description)
    >{
    > script_id(121212);
    > name["english"] = "IIS Service Pack - 404";
    > script_name(english:name["english"]);
    > 
    > desc["english"] = "
    >The Patch level (Service Pack) of the remote IIS server appears to be lower than
    >the current service pack level for this service. This test makes assumptions
    >of the remote patch level based on the returned Content-Length of its 404 error message.
    >As such, the test can not be totally reliable and should be confirmed.
    >
    >
    >Solution: Ensure that the server is running the latest stable Service Pack (http://www.microsoft.com/security)
    >Risk factor : High";
    >
    > script_description(english:desc["english"]);
    > 
    > summary["english"] = "IIS Service Pack Check";
    > 
    > script_summary(english:summary["english"]);
    > 
    > script_category(ACT_GATHER_INFO);
    > 
    > script_copyright(english:"This script is Copyright (C) 2003 SensePost");
    >
    > family["english"] = "CGI abuses";
    > script_family(english:family["english"]);
    > script_dependencie("find_service.nes");
    > script_require_ports("Services/www", 80);
    > exit(0);
    >}
    >
    ># Check starts here
    >
    >r1 = string("GET /sensepost_2003 HTTP/1.0\r\n\r\n");
    >
    >port = get_kb_item("Services/www");
    >if(!port)port = 80;
    >if(! get_port_state(port)) exit(0);
    >
    >soc = http_open_socket(port);
    >if(! soc) exit(0);
    >
    >send(socket:soc, data:r1);
    >r = recv(socket:soc, length:1024);
    >close(soc);
    >
    >
    > if(!soc) return NULL;
    >
    > v4 = egrep(pattern:"Microsoft-IIS/4.0", string:r);
    > v5 = egrep(pattern:"Microsoft-IIS/5.0", string:r);
    > cl = egrep(pattern:"Content-Length", string:r);
    > ver = string("Remote IIS Service pack guess : ");
    >
    >if(v4)
    >{
    >	display("IIS4\n");
    >        if ("102" >< cl)
    >		{
    >                ver = ver + string("IIS 4 - Sp0\n");
    >		security_hole(port);
    >       		security_hole(port:port, data:ver);
    >	        exit(0);
    >		}
    >
    >	if ("461" >< cl)
    >		display("IIS 4 - Sp6\n");
    >		ver = ver + string("Microsoft IIS 4 - SP6\n");
    >		security_note(port:port, data:ver);
    >}
    >
    >
    >if(v5)
    >{
    >        display("IIS5\n");
    >
    >	if("3243" >< cl)
    >		ver = ver + string("IIS 5 - Sp0 or Sp1\n");
    >        if("3252" >< cl)
    >                ver = ver + string("IIS 5 - Sp2 or Sp2srp1\n");
    >        if("4040" >< cl)
    >                ver = ver + string("IIS 5 - Sp3\n");
    >
    >	if(("3243" >< cl) || ("3252" >< cl) || ("4040" >< cl)){
    >         		security_hole(port:port);
    >         		security_hole(port:port, data:ver);
    >			}
    >
    >        if("111" >< cl)
    >		{
    >                display("IIS 5 - Sp4\n");
    >		ver = ver + string("Microsoft IIS 5 - SP4\n");
    >                security_note(port:port, data:ver);
    >		}
    >}
    >	
    >  
    >
    
    -- 
    Paul Johnston
    Internet Security Specialist
    Westpoint Limited
    Albion Wharf, 19 Albion Street,
    Manchester, M1 5LN
    England
    Tel: +44 (0)161 237 1028
    Fax: +44 (0)161 237 1031
    email: paul@private
    web: www.westpoint.ltd.uk
    



    This archive was generated by hypermail 2b30 : Thu Oct 09 2003 - 08:44:26 PDT