Re: [NSE] Shodan exploits database library (and demo script)

[David Fifield <david () bamsoftware com>]

On Fri, Nov 12, 2010 at 12:17:26PM +0100, Gutek wrote:
> A few days ago Shodan has released some libraries (Perl, Python and
> Ruby) to help developpers acces their exploits database [1].
>
> While some functionalities like starting from a given exploit and
> listing vulnerable hosts are useless for Nmap, one of them seemed
> usefull to me: from a given service, listing the know available
> exploits. For example, I've seen a vulscan nse script around which could
> use it.
>
> I've written a little lib, exploitdb.lua. It takes a string as an
> argument, for example a service name and any accuracy infos and returns
> a number of known exploits and a table with the list of published
> exploits with their associated triggering platform.
>
> The Shodan API also allows to download the found exploits but for
> security reasons I don't have implemented this feature.
>
> An API key is mandatory to use this service, so one is hardcoded. The
> usage policy states that if a lot of traffic could be generated from a
> given key, then the developper has to notify Shodan (done, waiting for
> the answer). That's why, while obviously anyone can modify the lib with
> his own key, I've hardcoded a (I hope !) allowed one.
>
> Attached is a simple demo script, a tiny kind-of vulnerability scanner.
> - From a -sV scan, it searches the Shodan database for each identified
> service.
> Sample output :
>
> - -- @output
> - -- PORT   STATE SERVICE REASON  VERSION
> - -- 21/tcp open  ftp     syn-ack ProFTPD
> - -- | demo: Found 16 existing exploits
> - -- | On linux, ProFTPd Local pr_ctrls_connect Vuln - ftpdctl
> - -- | On multiple, ProFTPd with mod_mysql Authentication Bypass
> Vulnerability
> - -- | (snip)
> - -- |_On unix, ProFTPd 1.3.0 mod_ctrls Local Stack Overflow (opensuse)
> - -- 80/tcp open  http    syn-ack Apache httpd
> - -- | demo: Found 2 existing exploits
> - -- | On multiple, Apache HTTPd Arbitrary Long HTTP Headers DoS
> - -- |_On linux, Apache HTTPd Arbitrary Long HTTP Headers DoS (c version)
> - -- Service Info: OS: Unix

This is interesting. I tried it against some web servers but didn't get
any results.

80/tcp    open     http             Apache httpd 2.2.3 ((CentOS))
|_demo: Found 0 existing exploits
80/tcp open     http    Apache httpd 2.2.9 ((Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g)
|_demo: Found 0 existing exploits

I'm not sure about adding this. For one thing, there is the API key
issue. Also it looks like it might be hard to get relevant results. Are
the results for "ProFTPD" and "Apache httpd" because those strings don't
have a version number and are therefore more likely to match? I
understand that your demo.nse was just a demonstration. Maybe there is
another useful task that this library can be put to.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/