[Openvas-commits] r5567 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Thu Oct 15 20:15:01 CEST 2009 

Author: mime
Date: 2009-10-15 20:14:59 +0200 (Thu, 15 Oct 2009)
New Revision: 5567

Added:
   trunk/openvas-plugins/plugins_current.txt
   trunk/openvas-plugins/scripts/dopewars_server_36606.nasl
   trunk/openvas-plugins/scripts/femitter_httpd_36656.nasl
   trunk/openvas-plugins/scripts/samba_multiple_vulnerabilities.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/scripts/cvspserver_version.nasl
   trunk/openvas-plugins/scripts/photopost_detect.nasl
   trunk/openvas-plugins/scripts/secpod_ms09-050-remote.nasl
Log:
Added new plugins

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2009-10-15 18:06:59 UTC (rev 5566)
+++ trunk/openvas-plugins/ChangeLog	2009-10-15 18:14:59 UTC (rev 5567)
@@ -1,3 +1,20 @@
+2009-10-15  Michael Meyer <michael.meyer at intevation.de>
+
+	* plugins_current.txt:
+	Added new file.
+
+	* scripts/femitter_httpd_36656.nasl,
+	scripts/samba_multiple_vulnerabilities.nasl,
+	scripts/dopewars_server_36606.nasl:
+	Added new plugins.
+
+	* scripts/secpod_ms09-050-remote.nasl:
+	Added check to make sure it is SMBv2.
+
+	* scripts/photopost_detect.nasl,
+	scripts/cvspserver_version.nasl:
+	Merged with plugins from LSS.
+
 2009-10-15  Chandrashekhar B <bchandra at secpod.com>
 
 	* scripts/secpod_ms09-061.nasl:

Added: trunk/openvas-plugins/plugins_current.txt
===================================================================
--- trunk/openvas-plugins/plugins_current.txt	2009-10-15 18:06:59 UTC (rev 5566)
+++ trunk/openvas-plugins/plugins_current.txt	2009-10-15 18:14:59 UTC (rev 5567)
@@ -0,0 +1,14 @@
+This document is intended to maintain the Plugins (excluding plugins
+for CVE/BID. Use cve_current.txt instead) that are currently being 
+implemented by NASL developers.
+
+Procedure:
+1. Before taking up for implementation, update this file to indicate that
+   it is being worked
+2. Before committing the plugin to SVN, change status to "svn".
+
+NVT					Owner			Status			
+smb_enum_services.nasl			LSS
+msrpc_dcom2.nasl			LSS
+poptop_negative_read.nasl		Greenbone
+

Modified: trunk/openvas-plugins/scripts/cvspserver_version.nasl
===================================================================
--- trunk/openvas-plugins/scripts/cvspserver_version.nasl	2009-10-15 18:06:59 UTC (rev 5566)
+++ trunk/openvas-plugins/scripts/cvspserver_version.nasl	2009-10-15 18:14:59 UTC (rev 5567)
@@ -6,9 +6,10 @@
 #
 # Authors:
 # Michael Meyer
+# LSS Security Team <http://security.lss.hr>
 #
 # Copyright:
-# Copyright (c) 2009 Greenbone Networks GmbH
+# Copyright (c) 2009 Greenbone Networks GmbH / LSS <http://www.lss.hr>
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2
@@ -40,7 +41,7 @@
  script_summary("Set Version of CVS pserver in KB");
  script_category(ACT_GATHER_INFO);
  script_family("Service detection");
- script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH / LSS");
  script_dependencies("find_service.nes");
  script_require_ports("Services/cvspserver", 2401);
  exit(0);
@@ -50,9 +51,106 @@
 if(!port)port = 2401;
 if(!get_port_state(port))exit(0);
 
+function scramble(pass) {
+# see http://www.delorie.com/gnu/docs/cvs/cvsclient_4.html
+# for scramble information
+
+ local_var x, scrambled, c;
+ 
+# character substitution table
+ c[33] = 120;	# !
+ c[34] = 53;	# "
+ c[37] = 109;	# %
+ c[38] = 72; 	# &
+ c[39] = 108; 	# '
+ c[40] = 70;	# (
+ c[41] = 64;	# )
+ c[42] = 76;	# *
+ c[43] = 67;	# +
+ c[44] = 116;	# ,
+ c[45] = 74;	# -
+ c[46] = 68;	# .
+ c[47] = 87;	# /
+ c[48] = 111;	# 0
+ c[49] = 52;	# 1
+ c[50] = 75;	# 2
+ c[51] = 119;	# 3
+ c[52] = 49;	# 4
+ c[53] = 34;	# 5
+ c[54] = 82;	# 6
+ c[55] = 81;	# 7
+ c[56] = 95;	# 8
+ c[57] = 65;	# 9
+ c[58] = 112;	# :
+ c[59] = 86;	# ;
+ c[60] = 118;	# <
+ c[61] = 110;	# =
+ c[62] = 122;	# >
+ c[63] = 105;	# ?
+ c[65] = 57;	# A
+ c[66] = 83;	# B
+ c[67] = 43;	# C
+ c[68] = 46;	# D
+ c[69] = 102;	# E
+ c[70] = 40;	# F
+ c[71] = 89;	# G
+ c[72] = 38;	# H
+ c[73] = 103;	# I
+ c[74] = 45;	# J
+ c[75] = 50;	# K
+ c[76] = 42;	# L
+ c[77] = 123;	# M
+ c[78] = 91;	# N
+ c[79] = 35;	# O
+ c[80] = 125;	# P
+ c[81] = 55;	# Q
+ c[82] = 54;	# R
+ c[83] = 66;	# S
+ c[84] = 124;	# T
+ c[85] = 126;	# U
+ c[86] = 59;	# V
+ c[87] = 47;	# W
+ c[88] = 92;	# X
+ c[89] = 71;	# Y
+ c[90] = 115;	# Z
+ c[95] = 56;	# _
+ c[97] = 121;	# a
+ c[98] = 117;	# b
+ c[99] = 104;	# c
+ c[100] = 101;	# d
+ c[101] = 100;	# e
+ c[102] = 69;	# f
+ c[103] = 73;	# g
+ c[104] = 99;	# h
+ c[105] = 63;	# i
+ c[106] = 94;	# j
+ c[107] = 93;	# k
+ c[108] = 39;	# l
+ c[109] = 37;	# m
+ c[110] = 61;	# n
+ c[111] = 48;	# o
+ c[112] = 58;	# p
+ c[113] = 113;	# q
+ c[114] = 32;	# r
+ c[115] = 90;	# s
+ c[116] = 44;	# t
+ c[117] = 98;	# u
+ c[118] = 60;	# v
+ c[119] = 51;	# w
+ c[120] = 33;	# x
+ c[121] = 97;	# y
+ c[122] = 62;	# z
+
+ for (x=0; x<strlen(pass); x++) {
+  scrambled += raw_string(c[ord(pass[x])]);
+ }
+
+return scrambled;
+}
+
 logins      = make_list("anonymous", "anoncvs");
 passwords   = make_list("","anoncvs", "anon");
-dirs        = make_list("/var/lib/cvsd/","/cvs", "/cvsroot", "/home/ncvs", "/usr/local/cvs");
+dirs        = make_list("/var/lib/cvsd/","/cvs", "/cvsroot", "/home/ncvs", "/usr/local/cvs","/u/cvs","/usr/local/cvsroot");
 
 foreach dir (dirs) {
  foreach login (logins) {
@@ -61,7 +159,7 @@
     soc = open_sock_tcp(port);
     if(!soc)exit(0);
 
-    req = string("BEGIN AUTH REQUEST\n", dir, "\n", login,"\n", "A", pass,"\n", "END AUTH REQUEST\n");
+    req = string("BEGIN AUTH REQUEST\n", dir, "\n", login,"\n", "A", scramble(password),"\n", "END AUTH REQUEST\n");
     send(socket:soc, data:req);
     buf = recv_line(socket:soc, length:4096);
 

Added: trunk/openvas-plugins/scripts/dopewars_server_36606.nasl
===================================================================
--- trunk/openvas-plugins/scripts/dopewars_server_36606.nasl	2009-10-15 18:06:59 UTC (rev 5566)
+++ trunk/openvas-plugins/scripts/dopewars_server_36606.nasl	2009-10-15 18:14:59 UTC (rev 5567)
@@ -0,0 +1,91 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Dopewars Server 'REQUESTJET' Message Remote Denial of Service Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100305);
+ script_bugtraq_id(36606);
+ script_version ("1.0-$Revision$");
+
+ script_name("Dopewars Server 'REQUESTJET' Message Remote Denial of Service Vulnerability");
+
+desc = "Overview:
+Dopewars is prone to a denial-of-service vulnerability that affects
+the server part of the application.
+
+An attacker can exploit this issue to crash the affected application,
+denying service to legitimate users.
+
+This issue affects Dopewars 1.5.12; other versions may also be
+affected.
+
+Solution:
+Fixes are available in the SVN repository. Please see the references
+for details.
+
+References:
+http://www.securityfocus.com/bid/36606
+http://dopewars.sourceforge.net/
+http://dopewars.svn.sourceforge.net/viewvc/dopewars?view=rev&revision=1033
+
+Risk factor : Low";
+
+ script_description(desc);
+ script_summary("Determine if Dopewars is prone to a dos vulnerability");
+ script_category(ACT_GATHER_INFO);
+ script_family("Denial of Service");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes");
+ script_require_ports("Services/unknown", 7902);
+ exit(0);
+}
+
+include("version_func.inc");
+
+port = 7902;
+if(!get_port_state(port))exit(0);
+
+soc = open_sock_tcp(port);
+if(!soc)exit(0);
+
+req = string("OpenVAS^^Ar1111111\n^^AcOpenVAS\n");
+send(socket:soc, data:req);
+buf = recv(socket:soc, length:50);
+
+if(!buf)exit(0);
+
+if("^" >< buf[0]) {
+  if(!version = eregmatch(pattern:"\^Ak([0-9.]+)\^",string:buf))exit(0);
+  if(isnull(version[1]))exit(0);
+
+  if(version_is_equal(version:version[1], test_version: "1.5.12")) {
+   security_warning(port:port);
+   exit(0);
+  }  
+}
+exit(0);
+
+  


Property changes on: trunk/openvas-plugins/scripts/dopewars_server_36606.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Added: trunk/openvas-plugins/scripts/femitter_httpd_36656.nasl
===================================================================
--- trunk/openvas-plugins/scripts/femitter_httpd_36656.nasl	2009-10-15 18:06:59 UTC (rev 5566)
+++ trunk/openvas-plugins/scripts/femitter_httpd_36656.nasl	2009-10-15 18:14:59 UTC (rev 5567)
@@ -0,0 +1,105 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Acritum Femitter Server HTTP Request Remote File Disclosure Vulnerability
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100304);
+ script_bugtraq_id(36656);
+ script_version ("1.0-$Revision$");
+
+ script_name("Acritum Femitter Server HTTP Request Remote File Disclosure Vulnerability");
+
+desc = "Overview:
+Acritum Femitter Server is prone to a remote file-disclosure
+vulnerability because it fails to properly sanitize user-
+supplied input.
+
+An attacker can exploit this vulnerability to view the source code of
+the files in the context of the server process. This may aid in
+further attacks.
+
+Acritum Femitter Server 1.03 is affected; other versions may be
+vulnerable as well.
+
+References:
+http://www.securityfocus.com/bid/36656
+http://www.acritum.com/fem/index.htm
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if Femitter HTTP Server is prone to a remote file-disclosure vulnerability.");
+ script_category(ACT_GATHER_INFO);
+ script_family("Web Servers");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("find_service.nes", "http_version.nasl","webmirror.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("http_keepalive.inc");
+   
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+
+files = get_kb_list(string("www/", port, "/content/extensions/htm*"));
+if(!files) {
+ file = "/index.htm";
+} else {
+ files = make_list(files); 
+ file  = files[0];
+}  
+
+url = string(file); 
+req = http_get(item:url, port:port);
+buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);  
+if( buf == NULL )continue;
+
+if(egrep(pattern: "Content-Type", string: buf, icase: TRUE)) {
+
+  content_typ = eregmatch(pattern:"Content-Type: ([a-zA-Z/-]+)",string:buf);
+
+  if(content_typ) {
+
+    url = string(file,".");
+    req = http_get(item:url, port:port);
+    buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+    if( buf == NULL )continue;
+
+    if(egrep(pattern: "Content-Type", string: buf, icase: TRUE)) {
+      content_typ1 = eregmatch(pattern:"Content-Type: ([a-zA-Z/-]+)",string:buf);
+      if(content_typ[1] >!< content_typ1[1] && "application/binary" >< content_typ1[1]) {
+        security_warning(port:port);
+        exit(0);
+      }   
+    }
+  }
+}
+
+exit(0);
+


Property changes on: trunk/openvas-plugins/scripts/femitter_httpd_36656.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Modified: trunk/openvas-plugins/scripts/photopost_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/photopost_detect.nasl	2009-10-15 18:06:59 UTC (rev 5566)
+++ trunk/openvas-plugins/scripts/photopost_detect.nasl	2009-10-15 18:14:59 UTC (rev 5567)
@@ -5,10 +5,11 @@
 # Photopost Detection
 #
 # Authors:
+# LSS Security Team <http://security.lss.hr>
 # Michael Meyer
 #
 # Copyright:
-# Copyright (c) 2009 Greenbone Networks GmbH
+# Copyright (c) 2009 LSS <http://www.lss.hr> / Greenbone Networks GmbH 
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2
@@ -43,14 +44,13 @@
  script_summary("Checks for the presence of Photopost");
  script_category(ACT_GATHER_INFO);
  script_family("Service detection");
- script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_copyright("This script is Copyright (C) 2009 LSS / Greenbone Networks GmbH");
  script_dependencies("find_service.nes", "http_version.nasl");
  script_require_ports("Services/www", 80);
  script_exclude_keys("Settings/disable_cgi_scanning");
  exit(0);
 }
 
-
 include("http_func.inc");
 include("http_keepalive.inc");
 include("global_settings.inc");
@@ -60,46 +60,46 @@
 if(!get_port_state(port))exit(0);
 if(!can_host_php(port:port))exit(0);
 
-dirs = make_list("/photopost","/photos","/gallery",cgi_dirs());
+dirs = make_list("/photopost","/photos","/gallery","/photo",cgi_dirs());
 
-foreach dir (dirs) {
+foreach dir (dirs)
+{
+  # Grab index.php
+  url = string(dir, "/index.php");
+  req = http_send_recv(data:http_get(item:url, port:port), port:port);
+  if(isnull(req)) exit(0);
 
- url = string(dir, "/index.php");
- req = http_get(item:url, port:port);
- buf = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
- if( buf == NULL )continue;
+  # Check if it is PhotoPost
+  match=egrep(pattern:'Powered by[^>]*>(<font[^>]*>)?PhotoPost',string:req, icase:1);
+  if(match) {
+    # If PhotoPost detected, try different grep to extract version
+    match=egrep(pattern:'Powered by[^>]*>(<font[^>]*>)?PhotoPost.*PHP ([0-9.a-z]+)',string:req, icase:1);
+    if(match)
+      item=eregmatch(pattern:'Powered by[^>]*>(<font[^>]*>)?PhotoPost.*PHP ([0-9.a-z]+)',string:match, icase:1);
+    ver=item[2];
 
- if(egrep(pattern: "<a [^>]+>Photo Sharing Gallery by PhotoPost", string: buf, icase: TRUE) &&
-    egrep(pattern: "Copyright.*All Enthusiast, Inc", string: buf, icase: TRUE)
-   )
- {
-     if(strlen(dir)>0) {
-        install=dir;
-     } else {
-        install=string("/");
-     }
+    # If version couldn't be extracted, mark as unknown
+    if(!ver) ver="unknown";
 
-    vers = string("unknown");
+    # PhotoPost installation found
+    set_kb_item(name:string("www/", port, "/photopost"),value:string(ver, " under ", dir));
+    if(report_verbosity) {
+      if(dir=="") dir="/";
+      info+=ver + " under " + dir + '\n';
+    }
+    n++;
+    if(!thorough_tests) break;
+  }
+}
 
-    set_kb_item(name: string("www/", port, "/photopost"), value: string(vers," under ",install));
+if(!n) exit(0);
 
-    info = string("None\n\nPhotoPost Version '");
-    info += string(vers);
-    info += string("' was detected on the remote host in the following directory(s):\n\n");
-    info += string(install, "\n");
+if(report_verbosity) {
+  info='\n\n' + "The following version(s) of PhotoPost were detected: " + '\n\n'+info;
+  desc+=info;
+  security_note(port:port, data:desc);
+  exit(0);
+}
 
-    desc = ereg_replace(
-        string:desc,
-        pattern:"None$",
-        replace:info
-    );
-
-       if(report_verbosity > 0) {
-         security_note(port:port,data:desc);
-       }
-       exit(0);
-
- }
-}
 exit(0);
 

Added: trunk/openvas-plugins/scripts/samba_multiple_vulnerabilities.nasl
===================================================================
--- trunk/openvas-plugins/scripts/samba_multiple_vulnerabilities.nasl	2009-10-15 18:06:59 UTC (rev 5566)
+++ trunk/openvas-plugins/scripts/samba_multiple_vulnerabilities.nasl	2009-10-15 18:14:59 UTC (rev 5567)
@@ -0,0 +1,99 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# Samba multiple vulnerabilities 
+#
+# Authors:
+# Michael Meyer
+#
+# Copyright:
+# Copyright (c) 2009 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(100306);
+ script_bugtraq_id(36363,36572,36573);
+ script_cve_id("CVE-2009-2813","CVE-2009-2948","CVE-2009-2906");
+ script_version ("1.0-$Revision$");
+
+ script_name("Samba multiple vulnerabilities");
+
+desc = "Overview:
+Samba is prone to multiple vulnerabilities including a vulnerability
+that may allow attackers to bypass certain security restrictions, an
+information-disclosure vulnerability and a remote denial-of-service
+vulnerability.
+
+Successful exploits may allow attackers to gain access to resources
+that aren't supposed to be shared, allow attackers to obtain sensitive
+information that may aid in further attacks and to cause the
+application to consume excessive CPU resources, denying service to
+legitimate users. 
+
+Versions prior to Samba 3.4.2, 3.3.8, 3.2.15, and 3.0.37 are
+vulnerable.
+
+Solution:
+Updates are available. Please see the references for more information.
+
+References:
+http://www.securityfocus.com/bid/36363
+http://www.securityfocus.com/bid/36573
+http://www.securityfocus.com/bid/36572
+http://www.samba.org/samba/security/CVE-2009-2813.html
+http://www.samba.org/samba/security/CVE-2009-2948.html
+http://www.samba.org/samba/security/CVE-2009-2906.html
+http://www.samba.org/samba/history/security.html
+http://us1.samba.org/samba/
+
+Risk factor : Medium";
+
+ script_description(desc);
+ script_summary("Determine if Samba is prone to multiple vulnerabilities");
+ script_category(ACT_GATHER_INFO);
+ script_family("General");
+ script_copyright("This script is Copyright (C) 2009 Greenbone Networks GmbH");
+ script_dependencies("smb_nativelanman.nasl");
+ script_require_ports(139, 445);
+ script_require_keys("SMB/NativeLanManager");
+ exit(0);
+}
+
+include("version_func.inc");
+
+port = get_kb_item("SMB/transport");
+if(!port)port = 139;
+
+if(!get_port_state(port))exit(0);
+
+if(!lanman = get_kb_item("SMB/NativeLanManager"))exit(0);
+if("Samba" >!< lanman)exit(0);
+
+if(!version = eregmatch(pattern:"Samba ([0-9.]+)", string: lanman))exit(0);
+if(isnull(version[1]))exit(0);
+
+if(version_in_range(version:version[1], test_version:"3.4", test_version2: "3.4.1") ||
+   version_in_range(version:version[1], test_version:"3.3", test_version2: "3.3.7") ||
+   version_in_range(version:version[1], test_version:"3.2", test_version2: "3.2.14") ||
+   version_in_range(version:version[1], test_version:"3.0", test_version2: "3.0.36"))
+   {
+    security_warning(port:port);
+    exit(0);
+   }  
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/samba_multiple_vulnerabilities.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision

Modified: trunk/openvas-plugins/scripts/secpod_ms09-050-remote.nasl
===================================================================
--- trunk/openvas-plugins/scripts/secpod_ms09-050-remote.nasl	2009-10-15 18:06:59 UTC (rev 5566)
+++ trunk/openvas-plugins/scripts/secpod_ms09-050-remote.nasl	2009-10-15 18:14:59 UTC (rev 5567)
@@ -100,7 +100,11 @@
 send(socket: soc, data: data);
 resp = smb_recv(socket:soc, length:1024);
 
-if(ord(resp[5]) == 83 && ord(resp[6]) == 77 && ord(resp[7]) == 66 && ord(resp[8]) == 114)
+# '0xff' -> SMBv1 - Windows XP Profesional, Version 202, SP3
+# '0xff' -> SMBv1 - Samba 3.0.33
+# '0xfe' -> SMBv2 - Windows Server at enterprise (2008), SP
+
+if(ord(resp[4]) == 254 && ord(resp[5]) == 83 && ord(resp[6]) == 77 && ord(resp[7]) == 66 && ord(resp[8]) == 114)
 {
   security_hole(port);
 }

More information about the Openvas-commits mailing list