Nmap Development mailing list archives
Jiayi's Status Report - #17 of 17
From: Jiayi Ye <yejiayily () gmail com>
Date: Mon, 24 Aug 2015 09:03:41 +0800
Hi, It was great to take part in GSoC. It was a fun summer. Here are what I accomplished and what I will do next. SCRIPTS: * Tor-consensus-check (NEW): This script works by using the Tor network consensuses which consist of tor network status and are published by Tor directory authorities to check if target is listed as a Tor node. * smtp-vuln-cve2015-0235 (NEW): This script checks for and/or exploits a heap-based buffer overflow in the GNU C Library's gethostbyname functions on x86 and x86_64 GNU/Linux systems (CVE-2015-0235) that run the Exim mail server. I finished the detection part to report vuln CVE 2015-0235 in Exim mail server, besides, I wrote the part of information leak, but I failed to perform successful exploitation in my vulnerability environment. * vulscan (UPDATE): This script attempts to discover vulnerabilities by matching information from the version detection engine with databases such as CVE, ExploitDB and Scipvuldb. I updated the script in the following aspects. Firstly, I removed databases that are not supported to be updated and got licenses of three databases that we decided to keep. Secondly, I added functionality to update databases and stop running script if databases are not available. Thirdly, I polished the script in code style, output, document and something else. And I tested it in both Mac and Windows environment, I think it is ready for committing. * http-vuln-cve2015-1635 (UPDATE): This script checks for a remote code execution vulnerability (MS15-034) in Microsoft Windows systems (CVE2015-2015-1635). And I updated http-vuln-cve2015-1635 to perform reliable information disclosure by trying different byte ranges. * smb-check-vulns.nse (UPDATE): I split the script into six scripts ( https://github.com/nmap/nmap/issues/171) and ported these vulnerability scripts to the vulns library. Besides, I set vulnerability environment for each of them and tested the splitted scripts in different vuln environment. NSELIB: * I spent a amount of time on implementing functionality related to SMB2 protocol. At first I wrote a sperated lib named smb2.lua. Then I combined smb2.lua with current smb.lua. Now the script supports sending commands (SMB2_COM_NEGOTIATE, SMB2_COM_SESSION_SETUP, SMB2_COM_LOGOFF, SMB2_COM_TREE_CONNECT, SMB2_COM_TREE_DISCONNECT, SMB2_COM_CREATE, SMB2_COM_CLOSE, SMB2_COM_FLUSH, SMB2_COM_READ, SMB2_COM_WRITE, SMB2_COM_LOCK, SMB2_COM_IOCTL, SMB2_COM_CANCEL, SMB2_COM_ECHO, SMB2_COM_QUERY_DIRECTORY, SMB2_COM_CHANGE_NOTIFY) and parsing related response. The basic login/logoff using smb2 is similar to smb as follows: -- <code> -- [connect] -- C->S SMB_COM_NEGOTIATE -- S->C SMB_COM_NEGOTIATE (if the server support smb2, set smb['Version'] == "SMB2") -- C->S SMB2_COM_NEGOTIATE -- S->C SMB2_COM_NEGOTIATE -- C->S SMB2_COM_SESSION_SETUP -- S->C SMB2_COM_SESSION_SETUP -- C->S SMB2_COM_TREE_CONNECT -- S->C SMB2_COM_TREE_CONNECT -- ... -- C->S SMB2_COM_TREE_DISCONNECT -- S->C SMB2_COM_TREE_DISCONNECT -- C->S SMB2_COM_LOGOFF -- S->C SMB2_COM_LOGOFF -- [disconnect] -- </code> And I tested smb2 lib with current smb related scripts, added some functions to make current smb related scripts be compatible with smb2 protocol. For example, I added smb2_find_files to make smb-ls.nse work well using smb2. In addition, I found a possible bug in current smb-system-info.nse. At first my environment for testing smb2 lib is Linux samba Version 4.1.17. Then I set up a windows environment to do more testing. Priorities: * Improve and test smb2 lib * Test vulscan and commit it * Test http-vuln-cve2015-1635 and commit it * Improve and test six scripts related with smb-check-vulns.nse * Finish the exploitation part of smtp-vuln-cve2015-0235 afterwards Thanks, Jiayi Ye
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Jiayi's Status Report - #17 of 17 Jiayi Ye (Aug 23)
- Re: Jiayi's Status Report - #17 of 17 Fyodor (Sep 14)
- Re: Jiayi's Status Report - #17 of 17 Paulino Calderon (Sep 14)
- Re: Jiayi's Status Report - #17 of 17 Daniel Miller (Sep 15)
- Re: Jiayi's Status Report - #17 of 17 Paulino Calderon (Sep 16)
- Re: Jiayi's Status Report - #17 of 17 Daniel Miller (Sep 16)
- Re: Jiayi's Status Report - #17 of 17 Paulino Calderon (Sep 25)
- Re: Jiayi's Status Report - #17 of 17 Paulino Calderon (Sep 14)
- Re: Jiayi's Status Report - #17 of 17 Fyodor (Sep 14)