Nmap Development mailing list archives
Re: [NSE] New script: qnx-qconn.nse
From: Brendan Coles <bcoles () gmail com>
Date: Sun, 28 Jul 2013 20:09:37 +1000
Better late than never. I've implemented all suggested changes. Revised script attached. Example output: PORT STATE SERVICE VERSION 8000/tcp open qconn qconn remote IDE support | qnx-qconn: | VULNERABLE: | The QNX QCONN daemon allows remote command execution. | State: VULNERABLE | Risk factor: High | Description: | The QNX QCONN daemon allows unauthenticated users to execute arbitrary operating | system commands as the 'root' user. | | References: | http://www.fishnetsecurity.com/6labs/blog/pentesting-qnx-neutrino-rtos |_ http://metasploit.org/modules/exploit/unix/misc/qnx_qconn_exec On Mon, Oct 8, 2012 at 2:16 AM, Paulino Calderon <paulino () calderonpale com>wrote:
El 07/10/2012 08:01 a.m., Henri Doreau escribió:2012/10/7 Brendan Coles <bcoles () gmail com>:Hi nmap-dev, Attached is qnx-qconn.nse which attempts to identify whether a listening QNX QCONN daemon is vulnerable to command execution. It has been tested on: * QNX Neutrino 6.5.0 * QNX Neutrino 6.5.0 SP1 Example output: PORT STATE SERVICE VERSION 8000/tcp open qconn syn-ack qconn remote IDE support | qnx-qconn: | Version: QNX localhost 6.5.0 2012/06/20-13:50:50EDT x86pc x86 | | Vulnerable to command execution vulnerability: |_ http://metasploit.org/modules/**exploit/unix/misc/qnx_qconn_**exec<http://metasploit.org/modules/exploit/unix/misc/qnx_qconn_exec> Feedback and suggestions are welcomed. -- Brendan Coles http://itsecuritysolutions.**org/ <http://itsecuritysolutions.org/>Hello, thanks for the script. I have a couple suggestions beside Patrik's ones: - Adding the 'vuln' category - Using to the vulns library for reporting - Use stdnse.parse_timespec() when parsing timeout specification from --script-args. Also, unless I miss something, the tonumber() statements have no effect. I don't think this function modifies its argument in-place. Regards ______________________________**_________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/**mailman/listinfo/nmap-dev<http://cgi.insecure.org/mailman/listinfo/nmap-dev> Archived at http://seclists.org/nmap-dev/It would be great if there was an argument to run other commands too. Cheers. ______________________________**_________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/**mailman/listinfo/nmap-dev<http://cgi.insecure.org/mailman/listinfo/nmap-dev> Archived at http://seclists.org/nmap-dev/
-- Brendan Coles http://itsecuritysolutions.org/
Attachment:
qnx-qconn.nse
Description:
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] New script: qnx-qconn.nse Brendan Coles (Jul 28)
- Re: [NSE] New script: qnx-qconn.nse David Fifield (Aug 08)