Nmap Development mailing list archives
Re: GSoC 2012 Project - Vulnerability and exploitation specialist
From: Aleksandar Nikolic <nikolic.alek () gmail com>
Date: Sat, 24 Mar 2012 16:38:17 +0100
Thank you for your suggestions, I admit that my script is poor with comments. Regarding the question of how does this one test if the server is vulnerable or not without crashing it, the details are a bit shady, but I'm working on that. The fact is that ms12-020 fixes two vulnerabilities in rdp (CVE-2012-0152 and CVE-2012-0002), first one being marked as DoS issue, and another one being a RCE vulnerability everybody is after. My script tests for the first one, from which we can get different results from patched and unpatched systems and from which we can recover (not cause the actual crash that is). Since both vulnerabilities are patched with the same patch, we can conclude that if it's vulnerable to one, it's vulnerable to the other too. I'll do some more debugging and fill in the blanks I have about this, then I'll be able to fully document the script. The web is full of speculations about this one, and I don't want to add more confusion or misinformation without working out the details. I will also rewrite it using the vuln library as Mr. Ruottu suggested. Of course, I could write another script that would actually crash the vulnerable machine if you think that would be useful (it's simpler than detecting the presence of the vulnerability obviously), but I wanted to get this one out fast because someone might find it useful. On a side note , I've joined the #nmap channel at freenode irc. Is there any other place where I could talk to developers? My nick on freenode is either foundation or ea_foundation. My regards, Aleksandar Nikolic On Sat, Mar 24, 2012 at 3:04 AM, David Fifield <david () bamsoftware com>wrote:
On Fri, Mar 23, 2012 at 10:36:06PM +0100, Aleksandar Nikolic wrote:Hi, I am Aleksandar Nikolic, a final year Computer Science student at Faculty Of Technical Sciences, University of Novi Sad. I have certain experience in vulnerability and exploit research, and would like to apply for a position of a Script developer- Vulnerability and exploitation specialist in the following Google Summer Of Code. Since student applications haven't started yet I won't talk a lot about myself now, but guidelines from Google suggest to try to contact the community and possibly discuss the project. In an attempt to prepare for the application and to get familiar with nmap's scripting engine I wrote a script to test for recent Windows RDP vulnerability. Everybody is talking about the vulnerability and until today I was unaware of a way to check if a machine is vulnerable or not without causing the BSoD. My script is based on work by sleepya . His tests are crafted in a way that would avoid triggering the BSoD. Please see the attached code for details. Of course, this script would need to be thoroughly tested, but my tests have shown that it works, at least on Windows XP. Also, I've just started playing with NSE and wanted to share this with you since it is a hot topic currently. Please let me know if I should make some improvements. I hope that you will find it useful.Thanks Aleksandar. I'm looking forward to reading your application. About the script, I agree that it's mysterious to have so many unexplained hex codes in there. We like to document those whenever possible, otherwise no one will be able to understand and modify the script later. What interests me is how this script works without BSOD when other techniques don't. What makes the difference? That's what I would like to see in documentation comments.On topic, do you have any suggestions for me regarding the application for this position?For script writers, we like to see knowledge of Lua and networking, but especially ideas for the kinds of scripts you intend to write that are a good match for your skills. David Fifield
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- GSoC 2012 Project - Vulnerability and exploitation specialist Aleksandar Nikolic (Mar 23)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Toni Ruottu (Mar 23)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist David Fifield (Mar 23)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Aleksandar Nikolic (Mar 24)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Aleksandar Nikolic (Mar 25)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Djalal Harouni (Mar 26)
- Message not available
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Aleksandar Nikolic (Mar 26)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Djalal Harouni (Mar 26)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Aleksandar Nikolic (Mar 28)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist David Fifield (Mar 28)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Djalal Harouni (Mar 29)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Aleksandar Nikolic (Mar 29)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist David Fifield (Mar 29)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Toni Ruottu (Mar 29)
- Re: GSoC 2012 Project - Vulnerability and exploitation specialist Aleksandar Nikolic (Mar 24)