Re: GSoC 2012 Project - Vulnerability and exploitation specialist

[Aleksandar Nikolic <nikolic.alek () gmail com>]

Thank you for your suggestions, I admit that my script is poor with
comments.

Regarding the question of how does this one test if the server is
vulnerable or not without crashing it,
the details are a bit shady, but I'm working on that. The fact is that
ms12-020 fixes
two vulnerabilities in rdp (CVE-2012-0152 and CVE-2012-0002), first one
being
marked as DoS issue, and another one being a RCE vulnerability everybody is
after.
My script tests for the first one, from which we can get different results
from patched
and unpatched systems and from which we can recover (not cause the actual
crash that is).
Since both vulnerabilities are patched with the same patch, we can conclude
that if it's vulnerable to
one, it's vulnerable to the other too.
I'll do some more debugging and fill in the blanks I have about this, then
I'll be able to
fully document the script. The web is full of speculations about this one,
and I don't want to add more confusion
or misinformation without working out the details.
I will also rewrite it using the vuln library as Mr. Ruottu suggested.

Of course, I could write another script that would actually crash the
vulnerable machine if you think
that would be useful (it's simpler than detecting the presence of the
vulnerability obviously), but I
wanted to get this one out fast because someone might find it useful.

On a side note , I've joined the #nmap channel at freenode irc. Is there
any other place
where I could talk to developers? My nick on freenode is either foundation
or ea_foundation.

My regards,
Aleksandar Nikolic

On Sat, Mar 24, 2012 at 3:04 AM, David Fifield <david () bamsoftware com>wrote:

> On Fri, Mar 23, 2012 at 10:36:06PM +0100, Aleksandar Nikolic wrote:
> > Hi,
> >
> >    I am Aleksandar Nikolic, a final year Computer Science student at
> >    Faculty Of Technical Sciences, University of Novi Sad. I have
> >    certain experience in vulnerability and exploit research, and would
> >    like to apply for a position of a Script developer- Vulnerability
> >    and exploitation specialist in the following Google Summer Of Code.
> >    Since student applications haven't started yet I won't talk a lot
> >    about myself now, but guidelines from Google suggest to try to
> >    contact the community and possibly discuss the project.
> >
> > In an attempt to prepare for the application and to get familiar with
> > nmap's scripting engine I wrote a script to test for recent Windows
> > RDP vulnerability. Everybody is talking about the vulnerability and
> > until today I was unaware of a way to check if a machine is vulnerable
> > or not without causing the BSoD. My script is based on work by sleepya
> > . His tests are crafted in a way that would avoid triggering the BSoD.
> > Please see the attached code for details.
> >
> > Of course, this script would need to be thoroughly tested, but my
> > tests have shown that it works, at least on Windows XP. Also, I've
> > just started playing with NSE and wanted to share this with you since
> > it is a hot topic currently. Please let me know if I should make some
> > improvements. I hope that you will find it useful.
>
> Thanks Aleksandar. I'm looking forward to reading your application.
> About the script, I agree that it's mysterious to have so many
> unexplained hex codes in there. We like to document those whenever
> possible, otherwise no one will be able to understand and modify the
> script later.
>
> What interests me is how this script works without BSOD when other
> techniques don't. What makes the difference? That's what I would like to
> see in documentation comments.
>
> > On topic, do you have any suggestions for me regarding the application
> > for this position?
>
> For script writers, we like to see knowledge of Lua and networking, but
> especially ideas for the kinds of scripts you intend to write that are a
> good match for your skills.
>
> David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/