Hello all,
I just download the last plugin alchemy_eye_http.nasl, and
install Alchemy Eye.
The plugin don't alert me, because there is 2 problems:
1/ My SystemRoot is "C:\WINDOWS" and not "C:\WINNT"
and the plugin test only WINNT/system32/ipconfig.exe
2/ My Windows is a french one, so the output for ipconfig.exe is:
Configuration IP de Windows 2000
Ethernet carte Connexion au réseau local :
Suffixe DNS spéc. à la connexion. :
Adresse IP. . . . . . . . . . . . : xxx.xxx.xxx.xxx
Masque de sous-réseau . . . . . . : 255.255.255.0
Passerelle par défaut . . . . . . : xxx.xxx.xxx.xxx
and the plugin parse the output and checks for "IP Configuration"
My proposals:
1/ always test the dirs WINDOWS and WINNT
2/ always use a command giving the same result whatever the system language.
The "cmd.exe" should be nice if nessus checks for the "Microsoft Corp."
string.
I suggest to choose ONE command (and the parse string) and to use it
in all new plugins.
Comments and suggestions are welcome!
So for this plugin, my change are:
pat = "IP Configuration"; #string returned by webserver if it's vulnerable
becomes
pat = "Microsoft Corp."; #string returned by webserver if it's vulnerable
and
url = string("/cgi-bin", dir[d],
"/../../../../../../../../WINNT/system32/ipconfig.exe");
if(check(req:url))exit(0);
becomes
url = string("/cgi-bin", dir[d],
"/../../../../../../../../WINNT/system32/cmd.exe");
if(check(req:url))exit(0);
url = string("/cgi-bin", dir[d],
"/../../../../../../../../WINDOWS/system32/cmd.exe");
if(check(req:url))exit(0);
Regards,
Georges Dagousset
I just download the last plugin alchemy_eye_http.nasl, and
install Alchemy Eye.
The plugin don't alert me, because there is 2 problems:
1/ My SystemRoot is "C:\WINDOWS" and not "C:\WINNT"
and the plugin test only WINNT/system32/ipconfig.exe
2/ My Windows is a french one, so the output for ipconfig.exe is:
Configuration IP de Windows 2000
Ethernet carte Connexion au réseau local :
Suffixe DNS spéc. à la connexion. :
Adresse IP. . . . . . . . . . . . : xxx.xxx.xxx.xxx
Masque de sous-réseau . . . . . . : 255.255.255.0
Passerelle par défaut . . . . . . : xxx.xxx.xxx.xxx
and the plugin parse the output and checks for "IP Configuration"
My proposals:
1/ always test the dirs WINDOWS and WINNT
2/ always use a command giving the same result whatever the system language.
The "cmd.exe" should be nice if nessus checks for the "Microsoft Corp."
string.
I suggest to choose ONE command (and the parse string) and to use it
in all new plugins.
Comments and suggestions are welcome!
So for this plugin, my change are:
pat = "IP Configuration"; #string returned by webserver if it's vulnerable
becomes
pat = "Microsoft Corp."; #string returned by webserver if it's vulnerable
and
url = string("/cgi-bin", dir[d],
"/../../../../../../../../WINNT/system32/ipconfig.exe");
if(check(req:url))exit(0);
becomes
url = string("/cgi-bin", dir[d],
"/../../../../../../../../WINNT/system32/cmd.exe");
if(check(req:url))exit(0);
url = string("/cgi-bin", dir[d],
"/../../../../../../../../WINDOWS/system32/cmd.exe");
if(check(req:url))exit(0);
Regards,
Georges Dagousset