ch2_CaseStudy_CanonicalNASLScript.txt

1 #
2 # This is a verbose template for generic NASL scripts.
3 #

5 #
6 # Script Title and Description
7 #
8 # Include a large comment block at the top of your script
9 # indicating what the script checks for, which versions
10 # of the target software are vulnerable, your name, the
11 # date the script was written, credit to whoever found the
12 # original exploit, and any other information you wish to
13 # include.
14 #
15 
16 if (description)
17 {
18  # All scripts should include a "description" section
19  # inside an "if (description) { ... }" block.  The
20  # functions called from within this section report
21  # information back to Nessus.
22  #
23  # Many of the functions in this section accept named
24  # parameters which support multiple languages.  The
25  # languages supported by Nessus include 揺nglish,?
26  # 揻rancais,?揹eutsch,?and 損ortuguese.? If the argument
27  # is unnamed, the default is English.  English is
28  # required; other languages are optional.
29  
30  script_version("$Revision:1.0$");
31  
32  # script_name is simply the name of the script.  Use a
33  # descriptive name for your script.  For example,
34  # "php_4_2_x_malformed_POST.nasl" is a better name than
35  # "php.nasl"
36  name["english"] = "Script Name in English";
37  name["francais"] = "Script Name in French";
38  script_name(english:name["english"], francais:name["francais"]);
39  
40  # script_description is a detailed explanation of the vulnerablity.
41  desc["english"] = "
42 This description of the script will show up in Nessus when
43 the script is viewed.  It should include a discussion of
44 what the script does, which software versions are vulnerable,
45 links to the original advisory, links to the CVE and BugTraq
46 articles (if they exist), a link to the vendor web site, a
47 link to the patch, and any other information which may be
48 useful.
49 
50 The text in this string is not indented, so that it displays
51 correctly in the Nessus GUI.";
52  script_description(english:desc["english"]);
53  
54  # script_summary is a one line description of what the script does.
55  summary["english"] = "One line English description.";
56  summary["francais"] = "One line French description.";
57  script_summary(english:summary["english"],francais:summary["francais"]);
58  
59  # script_category should be one of the following:
60  # ACT_INIT: Plugin sets KB items.
61  # ACT_SCANNER: Plugin is a port scanner or similar (like ping).
62  # ACT_SETTINGS: Plugin sets KB items after ACT_SCANNER.
63  # ACT_GATHER_INFO: Plugin identifies services, parses banners.
64  # ACT_ATTACK: For non-intrusive attacks (eg directory traversal)
65  # ACT_MIXED_ATTACK: Plugin launches potentially dangerous attacks.
66  # ACT_DESTRUCTIVE_ATTACK: Plugin attempts to destroy data.
67  # ACT_DENIAL: Plugin attempts to crash a service.
68  # ACT_KILL_HOST: Plugin attempts to crash target host.
69  script_category(ACT_DENIAL);
70  
71  # script_copyright allows the author to place a copyright
72  # on the plugin.  Often just the name of the author, but
73  # sometimes "GPL" or "No copyright."
74  script_copyright(english:"No copyright.");
75  
76  # script_family classifies the behavior of the service.  Valid
77  # entries include:
78  # - Backdoors
79  # - CGI abuses
80  # - CISCO
81  # - Denial of Service
82  # - Finger abuses
83  # - Firewalls
84  # - FTP
85  # - Gain a shell remotely
86  # - Gain root remotely
87  # - General
88  # - Misc.
89  # - Netware
90  # - NIS
91  # - Ports scanners
92  # - Remote file access
93  # - RPC
94  # - Settings
95  # - SMTP problems
96  # - SNMP
97  # - Untested
98  # - Useless services
99  # - Windows
100  # - Windows : User management
101  family["english"] = "Denial of Service";
102  family["francais"] = "Deni de Service";
103  script_family(english:family["english"],francais:family["francais"]);
104  
105  # script_dependencies is the same as the incorrectly-
106  # spelled "script_dependencie" function from NASL1.  It
107  # indicates which other NASL scripts are required for the
108  # script to function properly.
109  script_dependencies("find_service.nes");
110  
111  # script_require_ports takes one or more ports and/or
112  # Knowledge Base entries
113  script_require_ports("Services/www",80);
114  
115  # Always exit from the "description" block
116  exit(0);
117 }
118 
119 #
120 # Check begins here
121 #
122 
123 # Include other scripts and library functions first
124 include("http_func.inc");
125 
126 # Get initialization information from the KB or the target
127 port = get_kb_item("Services/www");
128 if ( !port ) port = 80;
129 if ( !get_port_state(port) ) exit(0);
130 
131 if( safe_checks() ) {
132 
133  # Nessus users can check the "Safe Checks Only" option
134  # when using Nessus to test critical hosts for known
135  # vulnerabilities.  Implementing this section is optional,
136  # but highly recommended.  Safe checks include banner
137  # grabbing, reading HTTP response messages, and the like.
138 
139  # grab the banner
140  b = get_http_banner(port: port);
141  
142  # check to see if the banner matches Apache/2.
143  if ( b =~ 'Server: *Apache/2\.' ) {
144   report = "
145 Apache web server version 2.x found - maybe it is vulnerable, but
146 maybe it isn't.  This is just an example script after all. 
147   
148 ** Note that Nessus did not perform a real test and
149 ** just checked the version number in the banner
150   
151 Solution : Check www.apache.org for the latest and greatest.
152 Risk factor : Low";
153   
154   # report the vulnerable service back to Nessus
155   # Reporting functions include:
156   # security_note: an informational finding
157   # security_warning: a minor problem
158   # security_hole: a serious problem
159   security_hole(port: port, data: report);
160  }
161 
162  # done with safe_checks, so exit
163  exit(0);
164  
165 } else {
166  # If safe_checks is not enabled, we can test using more intrusive
167  # methods such as Denial of Service or Buffer Overflow attacks.
168  
169  # make sure the host isnt' dead before we get started...
170  if ( http_is_dead(port:port) ) exit(0);
171  
172  # open a socket to the target host on the target port
173  soc = http_open_socket(port);
174  if( soc ) {
175   # craft the custom payload, in this case, a string
176   payload = "some nasty string\n\n\n\n\n\n\n\n\n";
177   
178   # send the payload
179   send(socket:soc, data:payload);
180   
181   # read the result.
182   r = http_recv(socket:soc);
183   
184   # Close the socket to the foreign host.
185   http_close_socket(soc);
186  
187     # If the host is unresponsive, report a serious alert.
188   if ( http_is_dead(port:port) ) security_hole(port);
189  }
190 }

你可能感兴趣的:(script)