-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathTelepad_check_script.nse
139 lines (122 loc) · 4.58 KB
/
Telepad_check_script.nse
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
---
-- https://shellcode.blog/services
---
--Usage:
--nmap -script Telepad_check_script.nse -p 6142 <host>
--Output Example:
-- PORT STATE SERVICE REASON
-- 6142/tcp open Telepad syn-ack ttl 128
-- | Telepad_check_script:
-- | VULNERABLE:
-- | Telepad Remote Code Execution
-- | State: VULNERABLE
-- | IDs: CVE:CVE-2022-45477
-- | Risk factor: High CVSSv3: 9.8 (HIGH) (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
-- | The vulnerability permits remote users to send instructions to the server with the ability to execute arbitrary code without any prior authorization or authentication.
-- |
-- | Disclosure date: 2022-11-30
-- | References:
-- |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45477
-- Load required Nmap modules
local nmap = require "nmap"
local shortport = require "shortport"
local stdnse = require "stdnse"
local string = require "string"
local vulns = require "vulns"
-- Set the script name, author, license, and categories
description = [[
This script checks for a remote code execution vulnerability in the Telepad
service running on port 6142. If the vulnerability is found, a report is
generated indicating that the target is vulnerable.
]]
author = "Mohammed Alshehri"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"auth", "vuln"}
-- Parse the timeout argument passed to the script, if any
local TIMEOUT = stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME))
-- Function to set the port state and version of the Telepad service
function set_nmap(host, port)
port.state = "open"
port.version.name = "Telepad"
port.version.product = "1.0.7"
nmap.set_port_version(host, port)
nmap.set_port_state(host, port, "open")
end
-- Function to scan a given host and port to determine if it is open
function port_scan(host, port)
local socket = nmap.new_socket()
local status, err = socket:connect(host, port, "tcp")
socket:close()
if status ~= nil then
stdnse.debug1("It's open")
return true
else
return false
end
end
-- Define the port rule for the Telepad service on port 6142
portrule = shortport.port_or_service(6142, "Telepad", "tcp")
-- Define the action function that will be executed for each matching target
action = function(host, port)
-- If 6142 is not open, the rest doesn't matter
if not port_scan(host, 6142) then
return false
end
-- Define a table for the Telepad RCE vulnerability
local vuln_45477 = {
title = "Telepad Remote Code Execution",
state = vulns.STATE.NOT_VULN,
risk_factor = "High",
scores = {
CVSSv3 = "9.8 (HIGH) (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)",
},
description = [[
The vulnerability permits remote users to send instructions to the server
with the ability to execute arbitrary code without any prior
authorization or authentication.
]],
IDS = {CVE = "CVE-2022-45477"},
references = {
'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45477'
},
dates = { disclosure = { year = '2022', month = '11', day = '30' } }
}
-- Define a table for the Telepad service on port 6143
local port_6143 = { number = 6143, protocol = "udp" }
-- Create a new UDP socket with a timeout of 500ms
local socket = nmap.new_socket("udp")
socket:set_timeout(500)
-- Sends two UDP packets to port 6143 on the target host and listens for any responses.
-- If the response comes from the target host's IP address, the Telepad vulnerability is confirmed and reported.
for i=1,2 do
local status = socket:sendto(host, port_6143, "1")
if ( not(status) ) then
return stdnse.format_output(false, "Failed to send request")
end
end
local timeout = TIMEOUT or ( 3 / ( nmap.timing_level() + 1 ) )
local stime = os.time()
-- Keep receiving packets until either timeout is reached or response comes from target host.
repeat
local status, data = socket:receive()
stdnse.debug1(data)
if ( status ) then
local status, lhost, lport, rhost, rport = socket:get_info()
if status then
-- Not sure if the rhost would ever change but just in case
if rhost == host.ip then
vuln_45477.state = vulns.STATE.VULN
set_nmap(host, port)
stdnse.debug1(rhost)
end
end
end
until( os.time() - stime > timeout )
socket:close()
-- If the Telepad vulnerability is confirmed, create a new vulnerability report and return it.
if vuln_45477.state == vulns.STATE.VULN then
local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
return vuln_report:make_output(vuln_45477)
end
return nil
end