Nmap Development mailing list archives
Re: [NSE] Detection of ProFTPD backdoor
From: David Fifield <david () bamsoftware com>
Date: Wed, 29 Dec 2010 13:35:39 -0800
On Sat, Dec 11, 2010 at 09:50:04AM +0100, Michael Meyer wrote:
*** Mak Kolybabi <mak () kolybabi com> wrote:On 2010-12-08 14:22, Michael Meyer wrote:NSE: Can't read command response: TIMEOUTSince it sounds like the error that you're getting is consistently a timeout, what is the result of changing *only* that value in the script?I have to wait longer if script doesn't work. ;)The five-second timeout I chose was completely arbitrary.It seems that for whatever reason sometimes "HELP ACIDBITCHEZ" is not "accepted" by the proftpd. However i've noticed that your script always works for me with the following patch. --------------------------------------------------- --- /tmp/2/nmap/scripts/ftp-proftpd-backdoor.nse 2010-12-08 14:09:07.000000000 +0100 +++ /usr/local/share/nmap/scripts/ftp-proftpd-backdoor.nse 2010-12-11 09:53:12.000000000 +0100 @@ -82,6 +82,9 @@ return end + sock:send("help foo\r\n") + sock:receive_lines(1) + -- Send command to escalate privilege. status, err = sock:send(CMD_FTP .. "\r\n") if not status then ---------------------------------------------------
Thank you for your testing Michael. I could reproduce the false negatives on a backdoored server on localhost, about 1 in 10 times. I traced it to the two sends ("HELP ACIDBITCHEZ\r\n" and "id;\r\n") being sent too closely in succession. It was possible for the ProFTPD process to receive both before starting the shell. The shell would start, but it would get no input because "id;\r\n" had already been read. I made the script attempt to read a response after the initial "HELP" command. If there is no backdoor, this will return a 502 immediately and the script can end negatively. If there is a backdoor, it waits for the timeout of 5 seconds, but by then we can be sure that the shell has been started. I moved the read_reply function out of ftp-anon.nse and into a new library, ftp.lua. David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] Detection of ProFTPD backdoor, (continued)
- Re: [NSE] Detection of ProFTPD backdoor Mak Kolybabi (Dec 07)
- Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 07)
- Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 07)
- Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 07)
- Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 08)
- Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 08)
- Re: [NSE] Detection of ProFTPD backdoor Mak Kolybabi (Dec 10)
- Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 11)
- Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 12)
- Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 13)
- Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 29)
- Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 07)