From 93c0ae4f44909ec4d20d0efb671550f541ae4f3b Mon Sep 17 00:00:00 2001
From: fyodor <fyodor@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Wed, 28 Dec 2011 00:57:48 +0000
Subject: [PATCH] Add new telnet-encryption script

---
 CHANGELOG                     |  6 +++
 scripts/script.db             |  1 +
 scripts/telnet-encryption.nse | 93 +++++++++++++++++++++++++++++++++++
 3 files changed, 100 insertions(+)
 create mode 100644 scripts/telnet-encryption.nse

diff --git a/CHANGELOG b/CHANGELOG
index be2c52f40..3a29735a2 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,11 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE] Added a telnet-encryption script which detects if a remote
+  telnet server supports the (weak) encryption option.  This is
+  particularly interesting due to a remotely exploitable root
+  vulnerability just discovered in FreeBSD's telnetd
+  (FreeBSD-SA-11:08.telnetd). [Patrik, David, Fyodor]
+
 o [NSE] Changed the dhcp-discover script to use the DHCPINFORM request to query
   dhcp servers instead of DHCPDISCOVER. Cleaned up some code in the DHCP
   library. [Patrik]
diff --git a/scripts/script.db b/scripts/script.db
index 57c45747f..70d19c94d 100644
--- a/scripts/script.db
+++ b/scripts/script.db
@@ -281,6 +281,7 @@ Entry { filename = "targets-ipv6-multicast-slaac.nse", categories = { "broadcast
 Entry { filename = "targets-sniffer.nse", categories = { "broadcast", "discovery", "safe", } }
 Entry { filename = "targets-traceroute.nse", categories = { "discovery", "safe", } }
 Entry { filename = "telnet-brute.nse", categories = { "brute", "intrusive", } }
+Entry { filename = "telnet-encryption.nse", categories = { "discovery", "safe", } }
 Entry { filename = "tftp-enum.nse", categories = { "discovery", "intrusive", } }
 Entry { filename = "unusual-port.nse", categories = { "safe", } }
 Entry { filename = "upnp-info.nse", categories = { "default", "discovery", "safe", } }
diff --git a/scripts/telnet-encryption.nse b/scripts/telnet-encryption.nse
new file mode 100644
index 000000000..a78bd12e6
--- /dev/null
+++ b/scripts/telnet-encryption.nse
@@ -0,0 +1,93 @@
+description = [[
+Determines whether the encryption option is supported on a remote telnet server.  Some systems (at least FreeBSD) implement this option incorrectly, leading to a remote root vulnerability (FreeBSD-SA-11:08.telnetd). This script currently only tests whether encryption is supported, not for that particular vulnerability. 
+
+References:
+* FreeBSD Advisory: http://lists.freebsd.org/pipermail/freebsd-announce/2011-December/001398.html
+* FreeBSD Exploit: http://www.exploit-db.com/exploits/18280/
+]]
+
+---
+-- @usage
+-- nmap -p 23 <ip> --script telnet-encryption
+--
+-- @output
+-- PORT   STATE SERVICE REASON
+-- 23/tcp open  telnet  syn-ack
+-- | telnet-encryption: 
+-- |_  Telnet server supports encryption
+--
+--
+
+categories = {"safe", "discovery"}
+
+require 'shortport'
+
+portrule = shortport.port_or_service(23, 'telnet')
+
+author = "Patrik Karlsson, David Fifield, Fyodor"
+
+local COMMAND = {
+	SubCommand = 0xFA,
+	Will = 0xFB,
+	Do = 0xFD,
+	Dont = 0xFE,
+	Wont = 0xFC,	
+}
+
+local function processOptions(data)
+	local pos = 1
+	local result = {}
+	while ( pos < #data ) do
+		local iac, cmd, option
+		pos, iac, cmd = bin.unpack("CC", data, pos)
+		if ( 0xFF ~= iac ) then
+			break
+		end
+		if ( COMMAND.SubCommand == cmd ) then
+			repeat
+				pos, iac = bin.unpack("C", data, pos)
+			until( pos == #data or 0xFF == iac )
+			pos, cmd = bin.unpack("C", data, pos)
+			if ( not(cmd) == 0xF0 ) then
+				return false, "Failed to parse options"
+			end
+		else
+			pos, option = bin.unpack("H", data, pos)
+			result[option] = result[option] or {}
+			table.insert(result[option], cmd)
+		end
+	end
+	return true, { done=( not(#data == pos - 1) ), cmds = result }
+end
+
+action = function(host, port)
+
+	local socket = nmap.new_socket()
+	local status = socket:connect(host, port)
+	local data = bin.pack("H", "FFFD26FFFB26")
+	local result
+
+	socket:set_timeout(5000)
+	status, result = socket:send(data)
+	if ( not(status) ) then
+		return ("\n  ERROR: Failed to send packet: %s"):format(result)
+	end
+
+	repeat
+		status, data = socket:receive()
+		if ( not(status) ) then
+			return ("\n  ERROR: Receiving packet: %s"):format(data)
+		end
+		status, result = processOptions(data)
+		if ( not(status) ) then
+			return "\n  ERROR: Failed to process telnet options"
+		end
+	until( result.done or result.cmds['26'] )
+
+	for _, cmd in ipairs(result.cmds['26'] or {}) do
+		if ( COMMAND.Will == cmd or COMMAND.Do == cmd ) then
+			return "\n  Telnet server supports encryption"
+		end
+	end
+	return "\n  Telnet server does not support encryption"
+end
\ No newline at end of file