OpenVAS-EntwicklerhandbuchSMBclient-basierte WLSC NASL Skripte schreibenget_windir()Beispiel

Beispiel

Dies ist ein vollständiges NASL-Skript für einen WLSC. Es kann in den OpenVAS-NVTs unter dem Namen win_CVE-2007-0043.nasl gefunden werden.

#
# This script was written by
# Carsten Koch-Mauthe
# <c.koch-mauthe at dn-systems.de>
#
# This script is released under the GNU GPLv2
#
# $Revision: 01 $

if(description)
{
  if (OPENVAS_NASL_LEVEL >= 2206)
  {
    script_oid("1.3.6.1.4.1.25623.1.0.90010");
  }
  else
  {
    script_id(90010);
  }
  script_version ("$Revision: 01 $");
  script_cve_id("CVE-2007-0043");
  name["english"] = ".NET JIT Compiler Vulnerability";
  script_name(english:name["english"]);

  desc["english"] = 
"The remote host is affected by the vulnerabilities described in CVE-2007-0043

Checking if System.web.dll version is less than 2.0.50727.832

Impact
    The Just In Time (JIT) Compiler service in Microsoft
    .NET Framework 1.0, 1.1, and 2.0 for Windows 2000, XP,
    Server 2003, and Vista allows user-assisted remote
    attackers to execute arbitrary code via unspecified
    vectors involving an unchecked buffer, probably a
    buffer overflow, aka .NET JIT Compiler Vulnerability.
    Checking if System.web.dll version is less than 2.0.50727.832

References:
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0043

Solution:
    All users should upgrade to the latest version.


Risk factor : High";

  script_description(english:desc["english"]);
  summary["english"] = "Test for .NET JIT Compiler Vulnerability";
  script_summary(english:summary["english"]);
  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is under GPLv2");
  family["english"] = "Windows.NET";
  script_family(english:family["english"]);
  exit(0);
}

#
# The code starts here
#

include("version_func.inc");
include("smbcl_func.inc");

if(!get_kb_item("SMB/smbclient"))
{
  smbclientavail();
}
test_version = "2.0.50727.832";

if(get_kb_item("SMB/smbclient"))
{
  if(smbversion() == 0)
  {
    report = string("Error getting SMB-Data -> " +
                    get_kb_item("SMB/ERROR"));
    security_note(port:0, proto:"SMBClient", data:report);
    exit(0);
  }
}
else
{
  report = string("SMBClient not found on this host !");
  security_note(port:0, proto:"SMBClient", data:report);
  exit(0);
}

win_dir = get_windir();
if(!isnull(win_dir))
{
  path = win_dir+"Microsoft.NET\Framework\";
  filespec = "v2*";
  r = smbgetdir(share: "C$", dir: path+filespec, typ: 2);
  if(!isnull(r))
  {
    filespec = r[0] + "\" + "system.web.dll";
    r = smbgetdir(share: "C$", dir: path+filespec, typ: 1);
    if(!isnull(r))
    {
      tmp_filename = get_tmp_dir() + "tmpfile" + rand();
      orig_filename = path + filespec;
      if(smbgetfile(share: "C$", filename: orig_filename,
                    tmp_filename: tmp_filename))
      {
        v = GetPEFileVersion(tmp_filename:tmp_filename,
                              orig_filename:orig_filename);
        unlink(tmp_filename);
        if(version_is_less(version: v, test_version: test_version))
        {
          security_hole(port:0, proto:"SMB");
          report = report + "Fileversion : C$ " +
                    orig_filename + " "+ v + string("\n");
          security_hole(port:0, proto:"SMB", data:report);
        }
      }
      else
      {
        report = string("Error getting SMB-File -> " +
                        get_kb_item("SMB/ERROR")) + string("\n");
        security_note(port:0, proto:"SMB", data:report);
      }
    }
  }
  else
  {
    report = string(".NET V2xx not found/no access -> " +
                    get_kb_item("SMB/ERROR")) + string("\n");
    security_note(port:0, proto:"SMB", data:report);
  }
}

exit(0);
OpenVAS-EntwicklerhandbuchSMBclient-basierte WLSC NASL Skripte schreibenget_windir()Beispiel