Re: Adding "dangerous" checks?

[Brandon Enright <bmenrigh () ucsd edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 3 Nov 2008 12:44:21 -0500
"Michael Pattrick" <mpattrick () rhinovirus org> wrote:
> Since these categories pretty much state that they will cause damage
> to the target, I think it is ok to create a script that crashes a host
> as long as it is labeled properly.
>
> Cheers,
> Michael
>
> [0] http://nmap.org/book/nse-usage.html#nse-categories

Coming from an organization that was scrambling for a network check of
MS08-067 last week, we were more happy to get one that had about equal
chance of working or crashing the service.  That's what "intrusive" is
all about.

As for technical hurdles, I'm not sure what funky things can be sent to
RPC/netapi32.dll/NetprPathCanonicalize to check for the vulnerability
but assuming there is some semi-reliable payload to do it,
DEP/NX/ASLR/Localization/winver are likely all working against the
check.

Are we talking about a English Windows XP SP2/SP3 check only?  Is there
some creative way to help factor out all the variations so that the
check works more broadly?

Brandon

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAkkPSNoACgkQqaGPzAsl94KemQCeNypefOcprA0ZjHdysBHPER3O
A6sAniSgqJd4Z7UZNpzHfhfhpJJn6hgH
=n0JQ
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org