Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] Detection of ProFTPD backdoor

From: David Fifield <david () bamsoftware com>
Date: Sun, 12 Dec 2010 15:29:11 -0800
On Sat, Dec 11, 2010 at 09:50:04AM +0100, Michael Meyer wrote:

*** Mak Kolybabi <mak () kolybabi com> wrote:

On 2010-12-08 14:22, Michael Meyer wrote:



NSE: Can't read command response: TIMEOUT


Since it sounds like the error that you're getting is consistently a timeout,
what is the result of changing *only* that value in the script? 


I have to wait longer if script doesn't work. ;)


The five-second timeout I chose was completely arbitrary.


It seems that for whatever reason sometimes "HELP ACIDBITCHEZ" is not
"accepted" by the proftpd. However i've noticed that your script
always works for me with the following patch.

---------------------------------------------------

--- /tmp/2/nmap/scripts/ftp-proftpd-backdoor.nse        2010-12-08 14:09:07.000000000 +0100
+++ /usr/local/share/nmap/scripts/ftp-proftpd-backdoor.nse      2010-12-11 09:53:12.000000000 +0100
@@ -82,6 +82,9 @@
                return
        end

+       sock:send("help foo\r\n")
+       sock:receive_lines(1)
+


Does it also work without the sock:send line? It might be that the
server is a little slow to respond and receive_lines(1) is not getting
all the data before sending the escalation string. What about using the
read_reply function from ftp-anon.nse, does that work?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: