Nmap Development mailing list archives

Re: [NSE] Detection of ProFTPD backdoor

From: David Fifield <david () bamsoftware com>
Date: Wed, 29 Dec 2010 13:35:39 -0800

On Sat, Dec 11, 2010 at 09:50:04AM +0100, Michael Meyer wrote:

*** Mak Kolybabi <mak () kolybabi com> wrote:

On 2010-12-08 14:22, Michael Meyer wrote:

NSE: Can't read command response: TIMEOUT


Since it sounds like the error that you're getting is consistently a timeout,
what is the result of changing *only* that value in the script?


I have to wait longer if script doesn't work. ;)

The five-second timeout I chose was completely arbitrary.


It seems that for whatever reason sometimes "HELP ACIDBITCHEZ" is not
"accepted" by the proftpd. However i've noticed that your script
always works for me with the following patch.

---------------------------------------------------

--- /tmp/2/nmap/scripts/ftp-proftpd-backdoor.nse        2010-12-08 14:09:07.000000000 +0100
+++ /usr/local/share/nmap/scripts/ftp-proftpd-backdoor.nse      2010-12-11 09:53:12.000000000 +0100
@@ -82,6 +82,9 @@
                return
        end

+       sock:send("help foo\r\n")
+       sock:receive_lines(1)
+
        -- Send command to escalate privilege.
        status, err = sock:send(CMD_FTP .. "\r\n")
        if not status then

---------------------------------------------------


Thank you for your testing Michael. I could reproduce the false
negatives on a backdoored server on localhost, about 1 in 10 times. I
traced it to the two sends ("HELP ACIDBITCHEZ\r\n" and "id;\r\n") being
sent too closely in succession. It was possible for the ProFTPD process
to receive both before starting the shell. The shell would start, but it
would get no input because "id;\r\n" had already been read.

I made the script attempt to read a response after the initial "HELP"
command. If there is no backdoor, this will return a 502 immediately and
the script can end negatively. If there is a backdoor, it waits for the
timeout of 5 seconds, but by then we can be sure that the shell has been
started.

I moved the read_reply function out of ftp-anon.nse and into a new
library, ftp.lua.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Re: [NSE] Detection of ProFTPD backdoor, (continued)
- - - Re: [NSE] Detection of ProFTPD backdoor Mak Kolybabi (Dec 07)
    - Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 07)
- Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 07)
  - Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 07)
    - Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 08)
    - Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 08)
    - Re: [NSE] Detection of ProFTPD backdoor Mak Kolybabi (Dec 10)
    - Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 11)
    - Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 12)
    - Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 13)
    - Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 29)