# The original script was written by c.houleat_private # # See the Nessus Scripts License for details if(description) { script_id(19999); script_version("$Revision: 1.0$"); name["english"] = "NetSend"; script_name(english:name["english"]); desc["english"] = " Used for Sending Net messages to a vulnerable PC. Solution : Update your system. Risk factor : High"; script_description(english:desc["english"]); summary["english"] = "NetSend a Vulnerable PC"; script_summary(english:summary["english"]); script_category(ACT_GATHER_INFO); script_copyright(english:"c.houleat_private"); family["english"] = "Windows"; script_family(english:family["english"]); script_dependencies("netbios_name_get.nasl"); script_require_keys("SMB/name", "SMB/transport"); script_require_ports(139); exit(0); } include("smb_nt.inc"); port = "139"; # static for now, will change to SMB/transport name = "host73"; # hostname static for now, will change to SMB/name cname = "Superdupr.Security"; # sender if(!name)exit(0); #-----------------------------------------------------------# # Net Send # # # #-----------------------------------------------------------# function smb_net_send1(soc, name, cname, message) { #Netbios Session Request = ok req = raw_string(0x81, 0x00, 0x00, 0x44, 0x20, 0x46, 0x43, 0x46, 0x46, 0x45, 0x50, 0x45, 0x44, 0x44, 0x48, 0x44, 0x44, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x41, 0x44, 0x00, 0x20, 0x45, 0x44, 0x45, 0x50, 0x46, 0x43, 0x46, 0x41, 0x45, 0x50, 0x46, 0x43, 0x45, 0x42, 0x46, 0x45, 0x45, 0x46, 0x43, 0x4f, 0x46, 0x44, 0x45, 0x46, 0x45, 0x44, 0x46, 0x46, 0x46, 0x43, 0x41, 0x41, 0x00); #Send Start of Multiblock Session request = ok req2 = raw_string(0x00, 0x00, 0x00, 0x3f, 0xff, 0x53, 0x4d, 0x42, 0xd5, 0x00, 0x00, 0x00 , 0x00, 0x08, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x2b, 0x68, 0x00, 0x00, 0x01, 0x00, 0x00, 0x1c, 0x00, 0x04, cname, 0x00, 0x04, name, 0x00); #Send Text of Multiblock Session request, set to send test1234 != ok req3 = raw_string(0x00, 0x00, 0x00, 0x33, 0xff, 0x53, 0x4d, 0x42, 0xd7, 0x00, 0x00, 0x00, 0x00, 0x08, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x2b, 0x68, 0x00, 0x00, 0x01, 0x00, 0x01, 0x33, 0x00, 0x0e ,0x00 ,0x01 ,0x0b, 0x00, 0x74, 0x65, 0x73, 0x74, 0x31, 0x32, 0x33, 0x34, 0x35, 0x0d, 0x0a); #Send End of Multiblock Session request != ok req4 = raw_string(0x00, 0x00, 0x00, 0x25, 0xff, 0x53, 0x4d, 0x42, 0xd6, 0x00, 0x00, 0x00, 0x00 , 0x08, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0x2b, 0x68, 0x00, 0x00, 0x01, 0x00, 0x01, 0x43, 0x00, 0x00, 0x00); send(socket:soc, data:req); r = smb_recv(socket:soc, length:4096); display(r, "\n"); # for debug only send(socket:soc, data:req2); r = smb_recv(socket:soc, length:4096); display(r, "\n"); # for debug only send(socket:soc, data:req3); r = smb_recv(socket:soc, length:4096); display(r, "\n"); # for debug only #send(socket:soc, data:req4); # r = smb_recv(socket:soc, length:4096); display(r, "\n"); # for debug only } # Script Start if(!get_port_state(port))exit(0); soc = open_sock_tcp(port); if(soc) { r = smb_session_request(soc:soc, remote:name); if(!r)exit(0); if(r) { tes1 = smb_net_send1(soc:soc); display("session for ", name, " ok \n"); display(strlen(req3), "\n"); } } close(soc);