Nmap Development mailing list archives
Re: [NSE] Shodan exploits database library (and demo script)
From: Gutek <ange.gutek () gmail com>
Date: Tue, 23 Nov 2010 06:39:04 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Le 23/11/2010 04:53, David Fifield a écrit :
On Fri, Nov 12, 2010 at 12:17:26PM +0100, Gutek wrote:A few days ago Shodan has released some libraries (Perl, Python and Ruby) to help developpers acces their exploits database [1]. While some functionalities like starting from a given exploit and listing vulnerable hosts are useless for Nmap, one of them seemed usefull to me: from a given service, listing the know available exploits. For example, I've seen a vulscan nse script around which could use it. I've written a little lib, exploitdb.lua. It takes a string as an argument, for example a service name and any accuracy infos and returns a number of known exploits and a table with the list of published exploits with their associated triggering platform. The Shodan API also allows to download the found exploits but for security reasons I don't have implemented this feature. An API key is mandatory to use this service, so one is hardcoded. The usage policy states that if a lot of traffic could be generated from a given key, then the developper has to notify Shodan (done, waiting for the answer). That's why, while obviously anyone can modify the lib with his own key, I've hardcoded a (I hope !) allowed one. Attached is a simple demo script, a tiny kind-of vulnerability scanner. - From a -sV scan, it searches the Shodan database for each identified service. Sample output : - -- @output - -- PORT STATE SERVICE REASON VERSION - -- 21/tcp open ftp syn-ack ProFTPD - -- | demo: Found 16 existing exploits - -- | On linux, ProFTPd Local pr_ctrls_connect Vuln - ftpdctl - -- | On multiple, ProFTPd with mod_mysql Authentication Bypass Vulnerability - -- | (snip) - -- |_On unix, ProFTPd 1.3.0 mod_ctrls Local Stack Overflow (opensuse) - -- 80/tcp open http syn-ack Apache httpd - -- | demo: Found 2 existing exploits - -- | On multiple, Apache HTTPd Arbitrary Long HTTP Headers DoS - -- |_On linux, Apache HTTPd Arbitrary Long HTTP Headers DoS (c version) - -- Service Info: OS: UnixThis is interesting. I tried it against some web servers but didn't get any results. 80/tcp open http Apache httpd 2.2.3 ((CentOS)) |_demo: Found 0 existing exploits 80/tcp open http Apache httpd 2.2.9 ((Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g) |_demo: Found 0 existing exploits I'm not sure about adding this. For one thing, there is the API key issue. Also it looks like it might be hard to get relevant results. Are the results for "ProFTPD" and "Apache httpd" because those strings don't have a version number and are therefore more likely to match? I understand that your demo.nse was just a demonstration. Maybe there is another useful task that this library can be put to. David Fifield
You are right, this lack of results in many cases is just because the demo script is very (too) simple in the way it selects and build the keywords. As an example, it just takes Apache%20httpd%202.2.3 as a query string, which returns no results "as it" from the database. But if you query this database with, say, Apache%202.2.3 then you'll get the Apache 2.2.3 remote overflow PoC: http://www.shodanhq.com/api/exploitdb/search?q=apache%202.2.3&key=swJrypW7yGaT6HxdZxGLLNlIxi5CTVLe So yes, it's just a matter of how clever the script is. About the API key, I'm happy to say that it has now an agreement from Shodan: "Thank you for notifying me about your usage, and it sounds like an awesome idea! Let me know if you have any suggestions on improving the API.Best,-John <jmath(4t)surtri.com>" A.G. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkzrU3gACgkQ3aDTTO0ha7h7BQCcDCi6hCwXomdR6auGutwqIsRq 5qUAnj28WDigAw82zZ9ly+iiLjGWPpc9 =sVlb -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Shodan exploits database library (and demo script) Gutek (Nov 12)
- Re: [NSE] Shodan exploits database library (and demo script) David Fifield (Nov 22)
- Re: [NSE] Shodan exploits database library (and demo script) Gutek (Nov 22)
- Re: [NSE] Shodan exploits database library (and demo script) David Fifield (Nov 29)
- Re: [NSE] Shodan exploits database library (and demo script) Gutek (Nov 30)
- Re: [NSE] Shodan exploits database library (and demo script) Gutek (Dec 12)
- Re: [NSE] Shodan exploits database library (and demo script) Fyodor (Dec 12)
- Re: [NSE] Shodan exploits database library (and demo script) Gutek (Dec 12)
- RE: [NSE] Shodan exploits database library (and demo script) Rob Nicholls (Dec 13)
- Re: [NSE] Shodan exploits database library (and demo script) Fyodor (Dec 13)
- Re: [NSE] Shodan exploits database library (and demo script) Gutek (Nov 22)
- Re: [NSE] Shodan exploits database library (and demo script) David Fifield (Nov 22)