mirror of
https://github.com/projectdiscovery/nuclei.git
synced 2025-12-18 06:35:26 +00:00
f26996cb89
* introducing execution id * wip * . * adding separate execution context id * lint * vet * fixing pg dialers * test ignore * fixing loader FD limit * test * fd fix * wip: remove CloseProcesses() from dev merge * wip: fix merge issue * protocolstate: stop memguarding on last dialer delete * avoid data race in dialers.RawHTTPClient * use shared logger and avoid race conditions * use shared logger and avoid race conditions * go mod * patch executionId into compiled template cache * clean up comment in Parse * go mod update * bump echarts * address merge issues * fix use of gologger * switch cmd/nuclei to options.Logger * address merge issues with go.mod * go vet: address copy of lock with new Copy function * fixing tests * disable speed control * fix nil ExecuterOptions * removing deprecated code * fixing result print * default logger * cli default logger * filter warning from results * fix performance test * hardcoding path * disable upload * refactor(runner): uses `Warning` instead of `Print` for `pdcpUploadErrMsg` Signed-off-by: Dwi Siswanto <git@dw1.io> * Revert "disable upload" This reverts commit 114fbe6663361bf41cf8b2645fd2d57083d53682. * Revert "hardcoding path" This reverts commit cf12ca800e0a0e974bd9fd4826a24e51547f7c00. --------- Signed-off-by: Dwi Siswanto <git@dw1.io> Co-authored-by: Mzack9999 <mzack9999@protonmail.com> Co-authored-by: Dwi Siswanto <git@dw1.io> Co-authored-by: Dwi Siswanto <25837540+dwisiswant0@users.noreply.github.com>
82 lines
2.8 KiB
Go
82 lines
2.8 KiB
Go
package smb
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"errors"
|
|
"fmt"
|
|
"net"
|
|
"strconv"
|
|
"time"
|
|
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/js/libs/structs"
|
|
"github.com/projectdiscovery/nuclei/v3/pkg/protocols/common/protocolstate"
|
|
"github.com/projectdiscovery/utils/reader"
|
|
)
|
|
|
|
const (
|
|
pkt = "\x00\x00\x00\xc0\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$\x00\x08\x00\x01\x00\x00\x00\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00x\x00\x00\x00\x02\x00\x00\x00\x02\x02\x10\x02\"\x02$\x02\x00\x03\x02\x03\x10\x03\x11\x03\x00\x00\x00\x00\x01\x00&\x00\x00\x00\x00\x00\x01\x00 \x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\n\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
|
|
)
|
|
|
|
// DetectSMBGhost tries to detect SMBGhost vulnerability
|
|
// by using SMBv3 compression feature.
|
|
// If the host is vulnerable, it returns true.
|
|
// @example
|
|
// ```javascript
|
|
// const smb = require('nuclei/smb');
|
|
// const isSMBGhost = smb.DetectSMBGhost('acme.com', 445);
|
|
// ```
|
|
func (c *SMBClient) DetectSMBGhost(ctx context.Context, host string, port int) (bool, error) {
|
|
executionId := ctx.Value("executionId").(string)
|
|
return memoizeddetectSMBGhost(executionId, host, port)
|
|
}
|
|
|
|
// @memo
|
|
func detectSMBGhost(executionId string, host string, port int) (bool, error) {
|
|
if !protocolstate.IsHostAllowed(executionId, host) {
|
|
// host is not valid according to network policy
|
|
return false, protocolstate.ErrHostDenied.Msgf(host)
|
|
}
|
|
addr := net.JoinHostPort(host, strconv.Itoa(port))
|
|
dialer := protocolstate.GetDialersWithId(executionId)
|
|
if dialer == nil {
|
|
return false, fmt.Errorf("dialers not initialized for %s", executionId)
|
|
}
|
|
conn, err := dialer.Fastdialer.Dial(context.TODO(), "tcp", addr)
|
|
if err != nil {
|
|
return false, err
|
|
|
|
}
|
|
defer func() {
|
|
_ = conn.Close()
|
|
}()
|
|
|
|
_, err = conn.Write([]byte(pkt))
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
buff, _ := reader.ConnReadNWithTimeout(conn, 4, time.Duration(5)*time.Second)
|
|
args, err := structs.Unpack(">I", buff)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
if len(args) != 1 {
|
|
return false, errors.New("invalid response")
|
|
}
|
|
|
|
length := args[0].(int)
|
|
_ = conn.SetReadDeadline(time.Now().Add(2 * time.Second))
|
|
data, err := reader.ConnReadNWithTimeout(conn, int64(length), time.Duration(5)*time.Second)
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
if len(data) < 72 {
|
|
return false, errors.New("invalid response expected at least 72 bytes")
|
|
}
|
|
|
|
if !bytes.Equal(data[68:70], []byte("\x11\x03")) || !bytes.Equal(data[70:72], []byte("\x02\x00")) {
|
|
return false, nil
|
|
}
|
|
return true, nil
|
|
}
|