Re: [NSE] MS08-067 check

[jah <jah () zadkiel plus com>]

On 05/11/2008 22:07, Ron wrote:
> Hey all,
>
> I just put together a quick prototype for a ms08-067 checker. It's in
> the following branch:
> svn://svn.insecure.org/nmap-exp/ron/ms08-067-test
>
> The script is smb-checkvulns.nse.
>
> I ran it against about 5 test systems, and produced accurate results
> (and properly changed after I applied the patch).
>
> The only trick is that it can crash the svchost.exe process. If you
> have Visual Studio installed, it'll try to initiate the debugger;
> otherwise, it'll give you a 60-second countdown then reboot the
> system. I ran it about 50 times straight, and it didn't crash once.
> But it did crash a different box on the first go. :) 
Hi Ron,

I tried your script against an unpatched box and it crashed first time
and reported the box as not vulnerable.  After rebooting it reported the
box as vulnerable and didn't crash it.  I tried numerous times (I lost
count but it was upwards of 70) to get it to crash again without
success.  So then I rebooted the box again and lo and behold it crashed
first time again (and was reported as not vulnerable).  There seems to
be something about the state of the machine that only changes between
reboots...

Anyway, it correctly reports non-vulnerable boxes, correctly reports
vulnerable ones if svchost doesn't crash, but incorrectly reports as
non-vulnerable if svchost does crash.  I've got a script-trace of the
latter if you want it.

Nice work.

jah

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org