Jiayi's Status Report - #17 of 17

[Jiayi Ye <yejiayily () gmail com>]

 Hi,

It was great to take part in GSoC. It was a fun summer. Here are what
I accomplished and what I will do next.


SCRIPTS:
 *
Tor-consensus-check (NEW): This script works by using the Tor network
consensuses which consist of tor network status and are published by
Tor directory authorities to check if target is listed as a Tor node.


*
smtp-vuln-cve2015-0235 (NEW): This script checks for and/or exploits a
heap-based buffer overflow in the GNU C Library's gethostbyname
functions on x86 and x86_64 GNU/Linux systems (CVE-2015-0235) that run
the Exim mail server. I finished the detection part to report vuln CVE
2015-0235 in Exim mail server, besides, I wrote the part of
information leak, but I failed to perform successful exploitation in
my vulnerability environment.


 *
vulscan (UPDATE): This script attempts to discover vulnerabilities by
matching information from the version detection engine with databases
such as CVE, ExploitDB and Scipvuldb. I updated the script in the
following aspects. Firstly, I removed databases that are not supported
to be updated and got licenses of three databases that we decided to
keep. Secondly, I added functionality to update databases and stop
running script if databases are not available. Thirdly, I polished the
script in code style, output, document and something else. And I
tested it in both Mac and Windows environment, I think it is ready for
committing.


 *
http-vuln-cve2015-1635 (UPDATE): This script checks for a remote code
execution vulnerability (MS15-034) in Microsoft Windows systems
(CVE2015-2015-1635). And I updated http-vuln-cve2015-1635 to perform
reliable information disclosure by trying different byte ranges.


 *  smb-check-vulns.nse (UPDATE): I split the script into six scripts (
https://github.com/nmap/nmap/issues/171) and ported these
 vulnerability scripts to the vulns library. Besides, I set
vulnerability environment for each of them and tested the splitted
scripts in different vuln environment.


NSELIB:

* I spent a amount of time on implementing functionality related to
SMB2 protocol. At first I wrote a sperated lib named smb2.lua. Then I
combined smb2.lua with current smb.lua.


Now the script supports sending commands (SMB2_COM_NEGOTIATE,
SMB2_COM_SESSION_SETUP, SMB2_COM_LOGOFF, SMB2_COM_TREE_CONNECT,
SMB2_COM_TREE_DISCONNECT, SMB2_COM_CREATE, SMB2_COM_CLOSE,
SMB2_COM_FLUSH, SMB2_COM_READ, SMB2_COM_WRITE, SMB2_COM_LOCK,
SMB2_COM_IOCTL, SMB2_COM_CANCEL, SMB2_COM_ECHO,
SMB2_COM_QUERY_DIRECTORY, SMB2_COM_CHANGE_NOTIFY) and parsing related
response.


The basic login/logoff using smb2 is similar to smb as follows:
-- <code>
-- [connect]
-- C->S SMB_COM_NEGOTIATE
-- S->C SMB_COM_NEGOTIATE (if the server support smb2, set
smb['Version'] == "SMB2")

-- C->S SMB2_COM_NEGOTIATE
-- S->C SMB2_COM_NEGOTIATE
-- C->S SMB2_COM_SESSION_SETUP
-- S->C SMB2_COM_SESSION_SETUP
-- C->S SMB2_COM_TREE_CONNECT
-- S->C SMB2_COM_TREE_CONNECT
-- ...
-- C->S SMB2_COM_TREE_DISCONNECT
-- S->C SMB2_COM_TREE_DISCONNECT
-- C->S SMB2_COM_LOGOFF
-- S->C SMB2_COM_LOGOFF
-- [disconnect]
-- </code>

And I tested smb2 lib with current smb related scripts, added some
functions to make current smb related scripts be compatible with smb2
protocol. For example, I added smb2_find_files to make smb-ls.nse work
well using smb2. In addition, I found a possible bug in current
smb-system-info.nse.


At first my environment for testing smb2 lib is Linux samba Version
4.1.17. Then I set up a windows environment to do more testing.


Priorities:
* Improve and test smb2 lib

* Test vulscan and commit it

* Test http-vuln-cve2015-1635 and commit it

* Improve and test six scripts related with smb-check-vulns.nse

* Finish the exploitation part of smtp-vuln-cve2015-0235 afterwards

Thanks,
Jiayi Ye

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/