Nmap Development mailing list archives

[NSE] Shodan exploits database library (and demo script)

From: Gutek <ange.gutek () gmail com>
Date: Fri, 12 Nov 2010 12:17:26 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A few days ago Shodan has released some libraries (Perl, Python and
Ruby) to help developpers acces their exploits database [1].

While some functionalities like starting from a given exploit and
listing vulnerable hosts are useless for Nmap, one of them seemed
usefull to me: from a given service, listing the know available
exploits. For example, I've seen a vulscan nse script around which could
use it.

I've written a little lib, exploitdb.lua. It takes a string as an
argument, for example a service name and any accuracy infos and returns
a number of known exploits and a table with the list of published
exploits with their associated triggering platform.

The Shodan API also allows to download the found exploits but for
security reasons I don't have implemented this feature.

An API key is mandatory to use this service, so one is hardcoded. The
usage policy states that if a lot of traffic could be generated from a
given key, then the developper has to notify Shodan (done, waiting for
the answer). That's why, while obviously anyone can modify the lib with
his own key, I've hardcoded a (I hope !) allowed one.

Attached is a simple demo script, a tiny kind-of vulnerability scanner.
- From a -sV scan, it searches the Shodan database for each identified
service.
Sample output :

- -- @output
- -- PORT   STATE SERVICE REASON  VERSION
- -- 21/tcp open  ftp     syn-ack ProFTPD
- -- | demo: Found 16 existing exploits
- -- | On linux, ProFTPd Local pr_ctrls_connect Vuln - ftpdctl
- -- | On multiple, ProFTPd with mod_mysql Authentication Bypass
Vulnerability
- -- | (snip)
- -- |_On unix, ProFTPd 1.3.0 mod_ctrls Local Stack Overflow (opensuse)
- -- 80/tcp open  http    syn-ack Apache httpd
- -- | demo: Found 2 existing exploits
- -- | On multiple, Apache HTTPd Arbitrary Long HTTP Headers DoS
- -- |_On linux, Apache HTTPd Arbitrary Long HTTP Headers DoS (c version)
- -- Service Info: OS: Unix

Regards,

A.G.
[1] http://docs.shodanhq.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAkzdIkYACgkQ3aDTTO0ha7iHfgCdG5QtMqc3l4KfEJTtiMF2G4bL
Pw4An3X5Ql0d2bediLNZ1+hcqIhnxJPO
=m+tB
-----END PGP SIGNATURE-----

Attachment: demo.nse
Description:

Attachment: exploitdb.lua
Description:

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

[NSE] Shodan exploits database library (and demo script) Gutek (Nov 12)
- Re: [NSE] Shodan exploits database library (and demo script) David Fifield (Nov 22)
  - Re: [NSE] Shodan exploits database library (and demo script) Gutek (Nov 22)
    - Re: [NSE] Shodan exploits database library (and demo script) David Fifield (Nov 29)
    - Re: [NSE] Shodan exploits database library (and demo script) Gutek (Nov 30)
    - Re: [NSE] Shodan exploits database library (and demo script) Gutek (Dec 12)
    - Re: [NSE] Shodan exploits database library (and demo script) Fyodor (Dec 12)
    - Re: [NSE] Shodan exploits database library (and demo script) Gutek (Dec 12)
    - RE: [NSE] Shodan exploits database library (and demo script) Rob Nicholls (Dec 13)
    - Re: [NSE] Shodan exploits database library (and demo script) Fyodor (Dec 13)