Articles Tagués ‘Script Check 17-010’

[MS17-010 Vulnerability] Script NMAP pour checker la MS17-010

Publié: 18/05/2017 dans IT Security
Tags:, , , , , ,
4

J’imagine que tout le monde est au courant du Ransomware (WannaCry) exploitant les vulnérabilités MS17-010 sur les OS Windows (Client & Server).

Toutes les KBs nécessaires pour corriger à cette faille sont publiées par Microsoft et disponibles depuis Mars 2017. Mais avant de les appliquer, vous devez d’abord scanner votre parc informatique pour lister les serveurs et clients Windows encore vulnérables à la MS17-010 pour établir la liste complète des machines à patcher par la suite.

Commencez par downloader Nmap pour Windows, récupérer ensuite le script Nmap pour la MS17-010 (script disponible ici, sinon vous pouvez copier /coller le code ci-après), et exécutez ensuite la commande suivante :

nmap -sC -p445 –open –max-hostgroup 3 –script smb-vuln-ms17-010.nse X.X.X.X/X

Dans l’exemple suivant, nous allons scanner le Subnet 10.0.110.0 /24, la commande suivante est donc utilisée:

nmap -sC -p445 –open –max-hostgroup 3 –script smb-vuln-ms17-010.nse 10.0.0.0/16

Un travail de traitement de fichier est à faire, car le résultat retourné par NMAP (pour un « gros » parc de serveurs et postes de travail) n’est pas « très exploitable », voir capture d’écran suivant :

local smb = require "smb"
local vulns = require "vulns"
local stdnse = require "stdnse"
local string = require "string"

description = [[
Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code
 execution vulnerability (ms17-010).

The script connects to the $IPC tree, executes a transaction on FID 0 and
 checks if the error "STATUS_INSUFF_SERVER_RESOURCES" is returned to
 determine if the target is not patched against ms17-010.

Tested on a vulnerable Windows 7. We might have some issues with v2 protocols with
 signing enabled.

References:
* https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
* https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
* https://msdn.microsoft.com/en-us/library/ee441489.aspx
* https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb 
]]

---
-- @usage nmap -p445 --script smb-vuln-ms17-010 <target>
-- @usage nmap -p445 --script vuln <target>
--
-- @output
-- Host script results:
-- | smb-vuln-ms17-010: 
-- |   VULNERABLE:
-- |   Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
-- |     State: VULNERABLE
-- |     IDs:  CVE:CVE-2017-0143
-- |     Risk factor: HIGH
-- |       A critical remote code execution vulnerability exists in Microsoft SMBv1
-- |        servers (ms17-010).
-- |       
-- |     Disclosure date: 2017-03-14
-- |     References:
-- |       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
-- |       https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
-- |_      https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
--
-- @xmloutput
-- <table key="CVE-2017-0143">
-- <elem key="title">Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)</elem>
-- <elem key="state">VULNERABLE</elem>
-- <table key="ids">
-- <elem>CVE:CVE-2017-0143</elem>
-- </table>
-- <table key="description">
-- <elem>A critical remote code execution vulnerability exists in Microsoft SMBv1
 servers (ms17-010).
</elem>
-- </table>
-- <table key="dates">
-- <table key="disclosure">
-- <elem key="month">03</elem>
-- <elem key="year">2017</elem>
-- <elem key="day">14</elem>
-- </table>
-- </table>
-- <elem key="disclosure">2017-03-14</elem>
-- <table key="refs">
-- <elem>https://technet.microsoft.com/en-us/library/security/ms17-010.aspx</elem>
-- <elem>https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143</elem>
-- <elem>https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/</elem>
-- </table>
-- </table>
---

author = "Paulino Calderon <paulino()calderonpale.com>"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "safe"}

hostrule = function(host)
  return smb.get_port(host) ~= nil
end

local function check_ms17010(host, port, sharename)
  local status, smbstate = smb.start_ex(host, true, true, sharename, nil, nil, nil)
  if not status then
    stdnse.debug1("Could not connect to '%s'", sharename)
    return false, string.format("Could not connect to '%s'", sharename)
  else
    local overrides = {}
    local smb_header, smb_params, smb_cmd

    stdnse.debug1("Connected to share '%s'", sharename)

    overrides['parameters_length'] = 0x10

    --SMB_COM_TRANSACTION opcode is 0x25
    smb_header = smb.smb_encode_header(smbstate, 0x25, overrides)
    smb_params = string.pack(">I2 I2 I2 I2 B B I2 I4 I2 I2 I2 I2 I2 B B I2 I2 I2 I2 I2 I2",
      0x0,     -- Total Parameter count (2 bytes)
      0x0,     -- Total Data count (2 bytes)
      0xFFFF,  -- Max Parameter count (2 bytes)
      0xFFFF,  -- Max Data count (2 bytes)
      0x0,     -- Max setup Count (1 byte)
      0x0,     -- Reserved (1 byte)
      0x0,     --Flags (2 bytes)
      0x0,     --Timeout (4 bytes)
      0x0,     --Reserved (2 bytes)
      0x0,     --ParameterCount (2 bytes)
      0x4a00,  --ParameterOffset (2 bytes)
      0x0,     --DataCount (2 bytes)
      0x4a00,  -- DataOffset (2 bytes)
      0x02,    -- SetupCount (1 byte)
      0x0,     -- Reserved (1 byte)
      0x2300,  -- PeekNamedPipe opcode
      0x0,     --
      0x0700,  --BCC (Length of "\PIPE\")
      0x5c50,  --\P
      0x4950,  --IP 
      0x455c   --E\
    )
    stdnse.debug2("SMB: Sending SMB_COM_TRANSACTION")
    result, err = smb.smb_send(smbstate, smb_header, smb_params, '', overrides)
    if(result == false) then
      stdnse.debug1("There was an error in the SMB_COM_TRANSACTION request")
      return false, err
    end

    result, smb_header, _, _ = smb.smb_read(smbstate)
    _ , smb_cmd, err = string.unpack("<c4 B I4", smb_header)
    if smb_cmd == 37 then -- SMB command for Trans is 0x25
      stdnse.debug1("Valid SMB_COM_TRANSACTION response received")

      --STATUS_INSUFF_SERVER_RESOURCES indicate that the machine is not patched
      if err == 0xc0000205 then 
        stdnse.debug1("STATUS_INSUFF_SERVER_RESOURCES response received")
        return true
      end
    else
      stdnse.debug1("Received invalid command id.")
      return false, err
    end
  end
end

action = function(host,port)
  local vuln_status, err
  local vuln = {
    title = "Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)",
    IDS = {CVE = 'CVE-2017-0143'},
    risk_factor = "HIGH",
    description = [[
A critical remote code execution vulnerability exists in Microsoft SMBv1
 servers (ms17-010).
]],
    references = {
    'https://technet.microsoft.com/en-us/library/security/ms17-010.aspx',
    'https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/'
    },
    dates = {
      disclosure = {year = '2017', month = '03', day = '14'},
    }
  }
  local sharename = stdnse.get_script_args(SCRIPT_NAME .. ".sharename") or "IPC$"
  local report = vulns.Report:new(SCRIPT_NAME, host, port)
  vuln.state = vulns.STATE.NOT_VULN

  vuln_status, err = check_ms17010(host, port, sharename)
  if vuln_status then
    stdnse.debug1("This host is missing the patch for ms17-010!")
    vuln.state = vulns.STATE.VULN
  else
    if nmap.verbosity() >=1 then
      return err
    end
  end
  return report:make_output(vuln)
end