Nmap Development mailing list archives
Re: Problem with the ftp-vsftpd-backdoor.nse script(patch)
From: Daniel Miller <bonsaiviking () gmail com>
Date: Wed, 29 Oct 2014 16:18:13 -0500
Victor, Thanks for bringing this up. I'm sorry it took so long to get back to you; in general, you can get a better response by sending questions and bugs to dev () nmap org, since several different developers monitor that list. The bug you brought up came about when the script was converted to use the vulns library. I spotted a couple other similar issues, and I think I fixed them. I'm attaching the patch which will apply to the version in SVN right now (http://nmap.org/nselib/scripts/ftp-vsftp-backdoor.html). This version won't work with older Nmap releases because of the use of stdnse.debug, so I'm attaching a backported version, too. Please let me know how this works for you! Dan On Mon, Oct 13, 2014 at 7:53 PM, Victor Ramos Mello <victornrm () gmail com> wrote:
Hi Daniel, I was playing with nmap and metasploitable, and I realised that the ftp-vsftpd-backdoor.nse was not working properly. The metasploitable distribuition comes with a vsftp 2.3.4 backdoor, and the script was not detecting it. Looking at the code I saw the problem. In the line 157 the script checks if the vsFTPd backdoor was already triggered: -------------code------------ -- check to see if the vsFTPd backdoor was already triggered local status, ret = check_backdoor(host, cmd, vsftp_vuln) if status then return report:make_output(vsftp_vuln) end -------------code------------ The problem was that the check_backdoor verifies if the port its open, if not then returns the finish_ftp with the status true in the line 89: -------------code------------ local status, ret = socket:connect(host, 6200, "tcp") if not status then stdnse.debug3("can't connect to tcp port 6200: NOT VULNERABLE") vuln.state = vulns.STATE.NOT_VULN return finish_ftp(socket, true) end -------------code------------ The finish_ftp just return the status code(in this case true) in the line 77. -------------code------------ local function finish_ftp(socket, status, message) if socket then socket:close() end return status, message end -------------code------------ Back to the lines 157-159, we can see that if the status is true then the script its finished, not detecting the vulnerability. I fixed it, just by changing the return status to false in the line 89, the patch and fixed version is in the attachments. Att.
Attachment:
ftp-vsftpd-backdoor.nse
Description:
Attachment:
vsftp.patch
Description:
_______________________________________________ Sent through the dev mailing list http://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: Problem with the ftp-vsftpd-backdoor.nse script(patch) Daniel Miller (Oct 29)
- Re: Problem with the ftp-vsftpd-backdoor.nse script(patch) Victor Ramos Mello (Oct 30)
- Re: Problem with the ftp-vsftpd-backdoor.nse script(patch) Daniel Miller (Oct 30)
- Re: Problem with the ftp-vsftpd-backdoor.nse script(patch) Victor Ramos Mello (Oct 30)