-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathLM_check_script.nse
164 lines (139 loc) · 5.28 KB
/
LM_check_script.nse
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
---
-- https://shellcode.blog/services
---
--Usage:
--nmap -script LM_check_script.nse -sU -p 19998 <host>
--Output Example:
-- PORT STATE SERVICE REASON
-- 19998/udp open Lazy Mouse script-set
-- | LM_check_script:
-- | VULNERABLE:
-- | Lazy Mouse Remote Code Execution
-- | State: VULNERABLE
-- | IDs: CVE:CVE-2022-45482
-- | Risk factor: High CVSSv3: 9.8 (HIGH) (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
-- | The Lazy Mouse server enforces a vulnerable authentication mechanism allowing remote unauthenticated users tobypass it and execute arbitrary commands.
-- |
-- | Disclosure date: 2022-11-30
-- | References:
-- |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45482
-- Load required Nmap modules
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local vulns = require "vulns"
description = [[
Lazy Mouse CVE-2022-45481 & CVE-2022-45482 Remote Code Execution Vulnerabilites.
This script looks the existence of CVE-2022-45481 & CVE-2022-45482 based on the server's response.
]]
author = "Mohammed Alshehri"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"auth", "vuln"}
function set_nmap(host, port)
port.state = "open"
port.version.name = "Lazy Mouse"
port.version.product = "2.0.1"
nmap.set_port_version(host, port)
nmap.set_port_state(host, port, "open")
end
-- Define the port rule for the script
portrule = shortport.port_or_service(19998, "Lazy Mouse", "udp")
-- Main action function of the script
action = function(host, port)
-- Define the detection code to send
local detection_code = string.char(0x32, 0x3a, 0x30, 0x31)
-- Define the vulnerability information for CVE-2022-45481
local vuln_45481 = {
title = "Lazy Mouse Remote Code Execution",
state = vulns.STATE.NOT_VULN,
risk_factor = "High",
scores = {
CVSSv3 = "9.8 (HIGH) (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)",
},
description = [[
Remote unauthenticated users can execute arbitrary code with no prior authentication.
]],
IDS = {CVE = "CVE-2022-45481"},
references = {
'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45481'
},
dates = {disclosure = {year = '2022', month = '11', day = '30'}}
}
-- Define the vulnerability information for CVE-2022-45482
local vuln_45482 = {
title = "Lazy Mouse Remote Code Execution",
state = vulns.STATE.NOT_VULN,
risk_factor = "High",
scores = {
CVSSv3 = "9.8 (HIGH) (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)",
},
description = [[
The Lazy Mouse server enforces a vulnerable authentication mechanism allowing remote unauthenticated users to bypass it and execute arbitrary commands.
]],
IDS = {CVE = "CVE-2022-45482"},
references = {
'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45482'
},
dates = {disclosure = {year = '2022', month = '11', day = '30'}}
}
-- Create a new vuln report object for the script
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
-- Create a UDP socket to send the detection code
local sock = nmap.new_socket("udp")
sock:set_timeout(1000)
-- Connect to the target host and port
local constatus,conerr = sock:connect(host, port,"udp")
if not constatus then
stdnse.debug1(
'Error establishing a UDP connection for %s - %s', host, conerr
)
return nil
end
-- Create a new UDP socket object
local sock2 = nmap.new_socket("udp")
-- Set the timeout for receiving data from the socket to 5000 milliseconds (5 seconds)
sock2:set_timeout(5000)
-- Bind the socket to all available IP addresses on port 19998
sock2:bind("0.0.0.0", 19998)
-- Send the detection code over the first socket (sock) and capture the status and any error message
local status, senderr = sock:send(detection_code)
-- If the send operation failed, log an error and return an error code
if(status == false) then
stdnse.debug1(
'Error sending a UDP message for %s - %s', host, conerr
)
stdnse.debug1(senderr)
return "Error: 2"
end
-- Close the first socket (sock)
sock:close()
-- Wait for a response on the second socket (sock2) and capture the status and any received data
local status, response = sock2:receive()
-- If no response was received before the timeout, log a message indicating success and return nil
if(status == false) then
stdnse.debug1("Good news! The server never replied : )")
stdnse.debug1(senderr)
return nil
end
-- If 2:01 then show CVE-2022-45481.
if response and response:find("2:1") then
stdnse.debug1("CVE-2022-45481 condition")
vuln_45481.state = vulns.STATE.VULN
set_nmap(host, port)
return vuln_report:make_output (vuln_45481)
end
-- If 2:4 then show CVE-2022-45482
if response and response:find("2:4") then
stdnse.debug1("CVE-2022-45482 condition")
vuln_45482.state = vulns.STATE.VULN
set_nmap(host, port)
stdnse.debug1(response)
return vuln_report:make_output (vuln_45482)
end
-- Else, we gucci
-- close socket
sock2:close()
-- return output table to Nmap
return nil
end