Detects Microsoft Windows systems with Ras RPC service vulnerable to MS06-025.
MS06-025 targets the
RasRpcSumbitRequest() RPC method which is
a part of RASRPC interface that serves as a RPC service for configuring and
getting information from the Remote Access and Routing service. RASRPC can be
accessed using either "\ROUTER" SMB pipe or the "\SRVSVC" SMB pipe (usually on Windows XP machines).
This is in RPC world known as "ncan_np" RPC transport.
method is a generic method which provides different functionalities according
RequestBuffer structure and particularly the
RegType field within that
RegType field is of
enum ReqTypes type. This enum type lists all
the different available operation that can be performed using the
RPC method. The one particular operation that this vuln targets is the
request to get device information on the RRAS.
This script was previously part of smb-check-vulns.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusernameSee the documentation for the smbauth library.
randomseed, smbbasic, smbport, smbsignSee the documentation for the smb library.
vulns.short, vulns.showallSee the documentation for the vulns library.
nmap --script smb-vuln-ms06-025.nse -p445 <host> nmap -sU --script smb-vuln-ms06-025.nse -p U:137,T:139 <host>
| smb-vuln-ms06-025: | VULNERABLE: | RRAS Memory Corruption vulnerability (MS06-025) | State: VULNERABLE | IDs: CVE:CVE-2006-2370 | A buffer overflow vulnerability in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 | and SP2, and Server 2003 SP1 and earlier allows remote unauthenticated or authenticated attackers to | execute arbitrary code via certain crafted "RPC related requests" aka the "RRAS Memory Corruption Vulnerability." | | Disclosure date: 2006-6-27 | References: | https://technet.microsoft.com/en-us/library/security/ms06-025.aspx |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2370
License: Same as Nmap--See https://nmap.org/book/man-legal.html