Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Problem with the ftp-vsftpd-backdoor.nse script(patch)

From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 29 Oct 2014 16:18:13 -0500
Victor,

Thanks for bringing this up. I'm sorry it took so long to get back to
you; in general, you can get a better response by sending questions
and bugs to dev () nmap org, since several different developers monitor
that list.

The bug you brought up came about when the script was converted to use
the vulns library. I spotted a couple other similar issues, and I
think I fixed them. I'm attaching the patch which will apply to the
version in SVN right now
(http://nmap.org/nselib/scripts/ftp-vsftp-backdoor.html). This version
won't work with older Nmap releases because of the use of
stdnse.debug, so I'm attaching a backported version, too.

Please let me know how this works for you!

Dan

On Mon, Oct 13, 2014 at 7:53 PM, Victor Ramos Mello <victornrm () gmail com> wrote:

Hi Daniel,

I was playing with nmap and metasploitable, and I realised that the
ftp-vsftpd-backdoor.nse was not working properly.
The metasploitable distribuition comes with a vsftp 2.3.4 backdoor,
and the script was not detecting it.
Looking at the code I saw the problem. In the line 157 the script
checks if the vsFTPd backdoor was already triggered:

-------------code------------
  -- check to see if the vsFTPd backdoor was already triggered
  local status, ret = check_backdoor(host, cmd, vsftp_vuln)
  if status then
    return report:make_output(vsftp_vuln)
  end
-------------code------------

The problem was that the check_backdoor verifies if the port its open,
if not then returns the finish_ftp with the status true in the line 89:

-------------code------------
  local status, ret = socket:connect(host, 6200, "tcp")
  if not status then
    stdnse.debug3("can't connect to tcp port 6200: NOT VULNERABLE")
    vuln.state = vulns.STATE.NOT_VULN
    return finish_ftp(socket, true)
  end
-------------code------------

The finish_ftp just return the status code(in this case true) in the line 77.

-------------code------------
local function finish_ftp(socket, status, message)
  if socket then
    socket:close()
  end
  return status, message
end
-------------code------------

Back to the lines 157-159, we can see that if the status is true then
the script its finished, not detecting the vulnerability.

I fixed it, just by changing the return status to false in the line 89,
the patch and fixed version is in the attachments.

Att.

Attachment: ftp-vsftpd-backdoor.nse
Description:

Attachment: vsftp.patch
Description: 

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: