renaud at nessus
Jan 22, 2003, 5:23 PM
Views: 60
Permalink
|
|
nessus-plugins/scripts dump.inc,NONE,1.4.2.1 ftp_func.inc,NONE,1.12.2.1 http_func.inc,NONE,1.23.2.1 misc_func.inc,NONE,1.8.2.1 smtp_func.inc,NONE,1.8.2.1 telnet_func.inc,NONE,1.5.2.1 uddi.inc,NONE,1.2.6.1 smb_nt.inc,1.1.2.2,1.1.2.3
|
|
Update of /usr/local/cvs/nessus-plugins/scripts
In directory raccoon.nessus.org:/tmp/cvs-serv673
Modified Files:
Tag: NESSUS_1_0
smb_nt.inc
Added Files:
Tag: NESSUS_1_0
dump.inc ftp_func.inc http_func.inc misc_func.inc
smtp_func.inc telnet_func.inc uddi.inc
Log Message:
add .inc files to Nessus 1.0.x. include() is supported in Nessus 1.0.7 and newer
--- NEW FILE: dump.inc ---
# -*- Fundamental -*-
#
# (C) 2002 Georges Dagousset <georges.dagousset [at] orange>
# $Revision: 1.4.2.1 $
#include("dump.inc");
#dump(ddata:req,dtitle:"title");
function dump(ddata,dtitle)
{
if(dtitle)display(":::",dtitle,"\n");
__dmaxline = strlen(ddata) / 16;
for (__dline = 0; __dline <= __dmaxline; __dline = __dline + 1) {
display(string(hex(__dline*16),":")-"0x");
for (__dcol = 0; __dcol < 16; __dcol = __dcol + 1) {
if (!__dcol % 4) display(" ");
if (__dcol + __dline * 16 < strlen(ddata))
display(string(hex(ord(ddata[__dcol + __dline * 16]))," ")-"0x");
else
display(" ");
}
display(" ");
for (__dcol = 0; __dcol < 16; __dcol = __dcol + 1) {
if (__dcol + __dline * 16 < strlen(ddata)) {
if(ord(ddata[__dcol + __dline * 16]) >= 32)
display(ddata[__dcol + __dline * 16]);
else
display(".");
}
else
display(" ");
}
display("\n");
}
display("\n");
}
--- NEW FILE: ftp_func.inc ---
# -*- Fundamental -*-
#
# (C) 2002 Michel Arboi <arboi [at] bigfoot>
# $Revision: 1.12.2.1 $
function ftp_close(socket)
{
if (send(socket: socket, data: string("QUIT\r\n")))
{
__r = "550 ";
while ((__r) && ! ("221 " >< __r))
{
__r = recv_line(socket:socket, length: 1024);
#display ("QUIT answer = ", __r);
}
}
close(socket);
}
function get_ftp_banner(port)
{
___sb = string("ftp/banner/", port);
___banner = get_kb_item(___sb);
if (___banner) return(___banner);
if (! get_port_state(port)) return (0);
___soc = open_sock_tcp(port);
if(!___soc) return (0);
___banner = recv_line(socket:___soc, length:1024);
if(ereg(string:___banner, pattern:"^220-"))
{
___str = recv_line(socket:___soc, length:1024);
___banner = string(___banner, ___str);
while(ereg(string:___str, pattern:"^220-"))
{
___str = recv_line(socket:___soc, length:1024);
___banner = string(___banner, ___str);
}
}
ftp_close(socket: ___soc);
set_kb_item(name: ___sb, value: ___banner);
return(___banner);
}
function ftp_recv_line(socket)
{
__n = 0;
__r = recv_line(socket:socket, length:1024);
if(strlen(__r) < 4)
return(__r);
while(__r[3] == "-")
{
__n = __n + 1;
__r = recv_line(socket:socket, length:1024);
if(__n > 1024)
return(0);
}
return(__r);
}
--- NEW FILE: http_func.inc ---
# -*- Fundamental -*-
#
# (C) 2002 Michel Arboi <arboi [at] bigfoot>
# get_http_port (C) Georges Dagousset
# $Revision: 1.23.2.1 $
function get_http_banner(port)
{
if (! get_port_state(port)) return (0);
___sb = string("www/banner/", port);
___banner = get_kb_item(___sb);
if (___banner) return(___banner);
___soc = http_open_socket(port);
if(!___soc) return (0);
___req = http_get(item:"/", port:port);
send(socket:___soc, data:___req);
___banner = recv(socket:___soc, length:5000);
http_close_socket(___soc);
set_kb_item(name: ___sb, value: ___banner);
return(___banner);
}
# Submitted by Georges Dagousset
# Usage: port = get_http_port(default:80);
function get_http_port(default)
{
___port = get_kb_item("Services/www");
if(!___port)___port = default;
___banner = get_http_banner(port:___port);
if (! ___banner) exit(0);
return(___port);
}
# (C) Georges Dagousset
# Usage:
# banner = get_http_banner(port:port);
# if (php_ver_match(banner:banner,
# pattern:".*PHP/((3.*)|(4\.0.*)|(4\.1\.[01].*))"))
# security_hole(port);
#
function php_ver_match(banner, pattern)
{
___line = egrep(pattern:"^Server:.*", string:banner);
if(ereg(pattern:pattern, string:___line))return(1);
else
{
___line = egrep(pattern:"^X-Powered-By:.*", string:banner);
if(ereg(pattern:pattern, string:___line))return(1);
}
return(0);
}
function http_is_dead(port)
{
___soc = http_open_socket(port);
if(!___soc) return (1);
# NB: http_head does not work against SWAT & VNC (& probably others...)
___req = http_get(item:"/", port:port);
send(socket:___soc, data:___req);
___banner = recv(socket:___soc, length:5000);
http_close_socket(___soc);
if (! ___banner) return (1);
return (0);
}
# This function was originaly written by SecurITeam in
# badblue_directory_traversal.nasl
# I (=MA) enhanced it.
# NB: it works with AUTOEXEC.BAT, WIN.INI and BOOT.INI
# quickcheck should be set to 0 if the server does not return clean 404 code,
# i.e., if "www/no404/"+port is defined in the KB
function check_win_dir_trav(port, url, quickcheck)
{
#display("check_win_dir_trav(port=", port, ", url=", url, ", quickcheck=", quickcheck, ")\n");
_soc = http_open_socket(port);
if(! _soc)
{
# display("check_win_dir_trav: cannot open socket to ", port, "\n");
return (0);
}
_req = http_get(item:url, port:port);
send(socket:_soc, data:_req);
_cod = recv_line(socket: _soc, length: 80);
_buf = http_recv(socket:_soc);
http_close_socket(_soc);
if (quickcheck)
{
if (" 200 " >< _cod) return (1);
return (0);
}
if ( ("ECHO" >< _buf) || ("SET " >< _buf) ||
("export" >< _buf) || ("EXPORT" >< _buf) ||
("mode" >< _buf) || ("MODE" >< _buf) ||
("doskey" >< _buf) || ("DOSKEY" >< _buf) ||
("[boot loader]" >< _buf) || ("[fonts]" >< _buf) ||
("[extensions]" >< _buf) || ("[mci extensions]" >< _buf) ||
("[files]" >< _buf) || ("[Mail]" >< _buf) ||
("[operating systems]" >< _buf) )
{
return(1);
}
return(0);
}
# This function does not return the headers!
# So 'length' parameter does not include headers length, even if we
# have to read them. Anyway, this parameter will be ignored if Content-length
# is set
function http_recv_body(socket, headers, length)
{
if (!headers)
{
__h = http_recv_headers(socket);
}
else
{
__h = headers;
}
__cl = egrep(pattern:"^Content-length: *[0-9]+", string: __h, icase: 1);
__l = ereg_replace(pattern: "Content-length: *([0-9]+).*", replace:"\1",
string: __cl, icase: 1);
__max = 0;
__min = 0;
if (length) __max = length;
if (__l) __min = __l;
if (__l > __max) __max = __l;
if (! __max)
{
#display("http_recv_body: bogus or no Content-length field, and no 'length' paramater set! Defaulting to 8 KB\n");
__max = 8192;
}
#display("http_recv_body: min=", __min, "; max=", __max, "\n");
if (__min)
{
__x = recv(socket: socket, length: __max, min: __min);
}
else
{
__x = recv(socket: socket, length: __max);
}
return(__x);
}
# This function reads everything
# Note that bodylength will be ignored if the Content-length field is set
function http_recv(socket)
{
__h = http_recv_headers(socket);
if(!__h)return(0);
__b = http_recv_body(socket: socket, headers: __h, length:0);
return (string(__h, "\r\n", __b));
}
function http_recv_length(socket, bodylength)
{
__h = http_recv_headers(socket);
__b = http_recv_body(socket: socket, headers: __h, length: bodylength);
return (string(__h, "\r\n", __b));
}
function get_cgi_path(port)
{
_k = string("www/cgi-path/", port);
_p = get_kb_item(_k);
if (_p) return (_p);
_no404 = get_kb_item(string("www/no404/", port));
# Mostly from DDI_Directory_Scanner (c) by HD Moore
_i = 0;
_c[_i] = "cgi-bin"; _i = _i+1;
_c[_i] = "cgi-bin2"; _i = _i+1;
_c[_i] = "scripts"; _i = _i+1;
_c[_i] = "cgi"; _i = _i+1;
_c[_i] = "cgis"; _i = _i+1;
_c[_i] = "cd-cgi"; _i = _i+1;
_c[_i] = "cfide"; _i = _i+1;
_c[_i] = "cgi"; _i = _i+1;
_c[_i] = "cgi-auth"; _i = _i+1;
_c[_i] = "cgi-bin"; _i = _i+1;
_c[_i] = "cgi-bin2"; _i = _i+1;
_c[_i] = "cgi-csc"; _i = _i+1;
_c[_i] = "cgi-lib"; _i = _i+1;
_c[_i] = "cgi-local"; _i = _i+1;
_c[_i] = "cgi-scripts"; _i = _i+1;
_c[_i] = "cgi-shl"; _i = _i+1;
_c[_i] = "cgi-shop"; _i = _i+1;
_c[_i] = "cgi-sys"; _i = _i+1;
_c[_i] = "cgi-weddico"; _i = _i+1;
_c[_i] = "cgi-win"; _i = _i+1;
_c[_i] = "cgibin"; _i = _i+1;
_c[_i] = "cgilib"; _i = _i+1;
_c[_i] = "cgiscripts"; _i = _i+1;
_c[_i] = "cgiwin"; _i = _i+1;
_c[_i] = 0;
_p = "";
for (_i = 0; _c[_i]; _i=_i+1)
{
_s = http_open_socket(port);
if (_s)
{
_req = http_get(port: port, item: string("/", _c[_i], "/"));
send(socket: _s, data: _req);
if (_no404)
{
_h = http_recv(socket: _s);
if (! (_no404 >< _h)) _p = string(_p, "/", _c[_i], ":");
}
else
{
_h = recv_line(socket: _s, length: 256);
if (ereg(pattern: "^HTTP/1\.[01] +(200|403)", string: _h))
_p = string(_p, "/", _c[_i], ":");
}
http_close_socket(_s);
}
}
if (!_p) _p = "/cgi-bin:/scripts";
set_kb_item(name: _k, value: _p);
return (_p);
}
function locate_cgi(port, item)
{
_p = get_cgi_path(port);
#display("P=", _p, "\n");
while (_p)
{
_p1 = ereg_replace(pattern: "^([^:]+):.*", string: _p, replace: "\1");
#display("P1=", _p1, "\n");
_p = _p - string(_p1, ":");
_cp = string(_p1, "/", item);
if (is_cgi_installed(port: port, item: _cp)) return (_cp);
}
return ("");
}
--- NEW FILE: misc_func.inc ---
# -*- Fundamental -*-
#
# (C) 2002 Michel Arboi <arboi [at] bigfoot>
# $Revision: 1.8.2.1 $
function register_service(port, proto)
{
__k = string("Known/tcp/", port);
set_kb_item(name: __k, value: proto);
__k = string("Services/", proto);
set_kb_item(name: __k, value: port);
#display("register_service: port=", port, ", proto=", proto, "\n");
}
function known_service(port)
{
__k = string("Known/tcp/", port);
__p = get_kb_item(__k);
#if (__p) { display("Known service on port ", port, "\n"); }
#else { display("Unknown service on port ", port, "\n"); }
return (__p);
}
function get_unknown_banner(port)
{
__sb = string("unknown/banner/", port);
__banner = get_kb_item(__sb);
if (__banner) return(__banner);
if (! get_port_state(port)) return (0);
__soc = open_sock_tcp(port);
if(!__soc) return (0);
# I don't think that it makes sense to send an HTTP request
#__req = http_head(item:"/", port:port);
#send(socket:__soc, data:__req);
__banner = recv(socket:__soc, length:2048);
close(__soc);
set_kb_item(name: __sb, value: __banner);
return(__banner);
}
#
# Get the banner for a given service
# You must also specify a default port, in case this is not in the kb
#
function get_service_banner_line(service, port)
{
__port = get_kb_item(string("Services/", service));
if(!__port) __port = port;
__key = string(service, "/banner/", __port);
__banner = get_kb_item(__key);
if(!__banner)
{
if(get_port_state(__port))
{
__soc = open_sock_tcp(__port);
if(__soc)
{
__banner = recv_line(socket:__soc, length:2048);
close(__soc);
}
}
}
return(__banner);
}
#
# Fast replacement for getrpcport()
#
function get_rpc_port(program, protocol)
{
__a = rand() % 255;
__b = rand() % 255;
__c = rand() % 255;
__d = rand() % 255;
__p_a = program / 16777216; __p_a = __p_a % 256;
__p_b = program / 65356; __p_b = __p_b % 256;
__broken = get_kb_item("/tmp/rpc/noportmap");
if(__broken)return(0);
__p_c = program / 256; __p_c = __p_c % 256;
__p_d = program % 256;
__pt_a = protocol / 16777216; __pt_a = __pt_a % 256;
__pt_b = protocol / 65535 ; __pt_b = __pt_b % 256;
__pt_c = protocol / 256; ; __pt_c = __pt_c % 256;
__pt_d = protocol % 256;
__req = raw_string(__a, __b, __c, __d, # XID
0x00, 0x00, 0x00, 0x00, # Msg type: call
0x00, 0x00, 0x00, 0x02, # RPC Version
0x00, 0x01, 0x86, 0xA0, # Program
0x00, 0x00, 0x00, 0x02, # Program version
0x00, 0x00, 0x00, 0x03, # Procedure
0x00, 0x00, 0x00, 0x00, # Credentials - flavor
0x00, 0x00, 0x00, 0x00, # Credentials - length
0x00, 0x00, 0x00, 0x00, # Verifier - Flavor
0x00, 0x00, 0x00, 0x00, # Verifier - Length
__p_a, __p_b, __p_c, __p_d, # Program
0xFF, 0xFF, 0xFF, 0xFF, # Version (any)
__pt_a, __pt_b, __pt_c, __pt_d, # Proto (udp)
0x00, 0x00, 0x00, 0x00 # Port
);
__soc = open_sock_udp(111);
send(socket:__soc, data:__req);
__r = recv(socket:__soc, min:24, length:28);
close(__soc);
if(!__r)
{
set_kb_item(name:"/tmp/rpc/noportmap", value:TRUE);
return(0);
}
if(strlen(__r) < 28)
return(0);
else
{
__p_d = ord(__r[27]);
__p_c = ord(__r[26]);
__p_b = ord(__r[25]);
__p_a = ord(__r[24]);
__port = __p_a;
__port = __port * 256;
__port = __port +__p_b; __port = __port * 256;
__port = __port + __p_c; __port = __port * 256;
__port = __port + __p_d;
return(__port);
}
}
--- NEW FILE: smtp_func.inc ---
# -*- Fundamental -*-
#
# (C) 2002 Michel Arboi <arboi [at] bigfoot>
# $Revision: 1.8.2.1 $
function smtp_send_socket(socket, from, to, body)
{
# display(string("smtp_send_socket from=", from, " to=", to, "\n"));
# Just to be sure
send(socket: socket, data: string("RSET\r\n"));
buff = recv(socket: socket, length: 2048);
# Here, we might test the return code
send(socket: socket, data: string("MAIL FROM: ", from, "\r\n"));
buff = recv(socket: socket, length: 2048);
if (! ereg(pattern:"^2[0-9][0-9] ", string:buff)) { return (0); }
send(socket: socket, data: string("RCPT TO: ", to, "\r\n"));
buff = recv(socket: socket, length: 2048);
if (! ereg(pattern:"^2[0-9][0-9] ", string:buff)) { return (0); }
send(socket: socket, data: string("DATA\r\n"));
buff = recv(socket: socket, length: 2048);
if (! ereg(pattern:"^3[0-9][0-9] ", string:buff)) { return (0); }
send(socket: socket, data: body);
send(socket: socket, data: string(".\r\n"));
buff = recv(socket: socket, length: 2048);
if (! ereg(pattern:"^2[0-9][0-9] ", string:buff)) { return (0); }
return(1);
}
function smtp_send_port(port, from, to, body)
{
s = open_sock_tcp(port);
if (! s) return (0);
send(socket: s, data: string("HELO nessus\r\n"));
buff = recv(socket: s, length: 2048);
ret = smtp_send_socket(socket: s, from: from, to: to, body: body);
send(socket: s, data: string("QUIT\r\n"));
close(s);
return (ret);
}
function smtp_from_header()
{
fromaddr = get_kb_item("SMTP/headers/From");
if (!fromaddr) fromaddr = "nessus [at] example";
return (fromaddr);
}
function smtp_to_header()
{
toaddr = get_kb_item("SMTP/headers/To");
if (!toaddr) toaddr = string("postmaster@[", get_host_ip(), "]");
return (toaddr);
}
function get_smtp_banner(port)
{
__sb = string("smtp/banner/", port);
__banner = get_kb_item(__sb);
if(__banner) return (__banner);
if(! get_port_state(port)) return (0);
__soc = open_sock_tcp(port);
if (! __soc) return (0);
__banner= recv_line(socket: __soc, length:1024);
close(__soc);
set_kb_item(name: __sb, value: __banner);
return(__banner);
}
--- NEW FILE: telnet_func.inc ---
# -*- Fundamental -*-
#
# (C) 2002 Michel Arboi <arboi [at] bigfoot>
# $Revision: 1.5.2.1 $
function get_telnet_banner(port)
{
___sb = string("telnet/banner/", port);
___banner = get_kb_item(___sb);
if (___banner) return(___banner);
___soc = open_sock_tcp(port);
if(!___soc) return (0);
___banner = telnet_init(___soc);
close(___soc);
set_kb_item(name: ___sb, value: ___banner);
return(___banner);
}
function set_telnet_banner(port, banner)
{
___sb = string("telnet/banner/", port);
set_kb_item(name: ___sb, value: banner);
}
--- NEW FILE: uddi.inc ---
# By John Lampe
# $Id: uddi.inc,v 1.2.6.1 2003/01/23 00:23:52 renaud Exp $
function create_uddi_xml (ktype,path,key,name)
{
envelope_header = string("<?xml version='1.0' encoding='UTF-8'?> <s:Envelope");
envelope_header = string(envelope_header, " xmlns:s='http://schemas.xmlsoap.org/soap/envelope/'><s:Body>");
get_servicedetail = string("<get_serviceDetail generic='1.0' xmlns='urn:uddi-org:api'>");
get_servicedetail = string(get_servicedetail, "<serviceKey>", key, "</serviceKey></get_serviceDetail>");
find_business = string("<find_business generic='1.0' xmlns='urn:uddi-org:api'>");
find_business = string(find_business, "<name>",name,"</name></find_business>");
find_service = string("<find_service generic='1.0' xmlns='urn:uddi-org:api' businessKey='",key, "'>");
find_service = string(find_service, "<name>", name, "</name></find_service>");
close_envelope = string("</s:Body></s:Envelope>");
if (ktype == "UDDI_QUERY_FBUSINESS") method = find_business;
if (ktype == "UDDI_QUERY_FSERVICE") method = find_service;
if (ktype == "UDDI_QUERY_GSERVICE_DETAIL") method = get_servicedetail;
xml = string(envelope_header, method, close_envelope);
len = strlen(xml);
finished_message = string("POST ", path, " HTTP/1.0\r\n");
finished_message = string(finished_message, "Accept: text/xml\r\n");
finished_message = string(finished_message, "Accept: multipart/*\r\n");
finished_message = string(finished_message, "Host: ", get_host_ip(), "\r\n");
finished_message = string(finished_message, "User-Agent: NESSUS::SOAP\r\n");
finished_message = string(finished_message, "Content-Length: ", len, "\r\n");
finished_message = string(finished_message, "Content-Type: text/xml; charset=utf-8\r\n");
finished_message = string(finished_message, "SOAPAction: ''\r\n\r\n", xml);
return(finished_message);
}
Index: smb_nt.inc
===================================================================
RCS file: /usr/local/cvs/nessus-plugins/scripts/smb_nt.inc,v
retrieving revision 1.1.2.2
retrieving revision 1.1.2.3
diff -u -d -r1.1.2.2 -r1.1.2.3
--- smb_nt.inc 25 Jan 2002 13:55:00 -0000 1.1.2.2
+++ smb_nt.inc 23 Jan 2003 00:23:52 -0000 1.1.2.3
@@ -1,15 +1,21 @@
+# -*- Fundamental -*-
+# smb_nt.inc
+# $Revision$
+#
+
#-----------------------------------------------------------------#
# Reads a SMB packet #
#-----------------------------------------------------------------#
function smb_recv(socket, length)
{
- ____msg_header = recv(socket:socket, length:4);
[...1190 lines suppressed...]
+ #display("ACB : ", hex(acb), "\n");
+
+ set_kb_item(name:string("SMB/", type, "/", count, "/Info/ACB"),
+ value:acb);
+
+
+ #if(acb & 0x01)display(" Account is disabled\n");
+ #if(acb & 0x04)display(" Password not required\n");
+ #if(acb & 0x10)display(" Normal account\n");
+ #if(acb & 0x0200)display(" Password does not expire\n");
+ #if(acb & 0x0400)display(" Account auto-locked\n");
+ #if(acb & 0x0800)display(" Password can't be changed\n");
+
+ #if(acb & 0x1000)display(" Smart card is required for interactive log on\n");
+ #if(acb & 0x2000)display(" Account is trusted for delegation\n");
+ #if(acb & 0x4000)display(" Account is sensitive an can not be delegated\n");
+ #if(acb & 0x8000)display(" Use DES encryption type for this account\n");
+
|
nessus-plugins/scripts dump.inc,NONE,1.4.2.1 ftp_func.inc,NONE,1.12.2.1 http_func.inc,NONE,1.23.2.1 misc_func.inc,NONE,1.8.2.1 smtp_func.inc,NONE,1.8.2.1 telnet_func.inc,NONE,1.5.2.1 uddi.inc,NONE,1.2.6.1 smb_nt.inc,1.1.2.2,1.1.2.3