From 9db8dfda1dc5ef3f5e24d211feb613dff39d2a75 Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Wed, 18 Feb 2015 02:57:29 +0000
Subject: [PATCH] Be more strict about NetBus protocol. Fixes false positives

Had a report via service fingerprint correction of netbus-version
reporting an unrelated service as NetBuster. This would happen for any
service on port 12345 that responds with a banner containing less than 2
carriage returns, or which closes the connection after the first NetBus
protocol message. Now, all netbus-* scripts require the banner to begin
with "NetBus" before they will continue.
---
 scripts/netbus-auth-bypass.nse | 6 +++++-
 scripts/netbus-brute.nse       | 4 ++++
 scripts/netbus-info.nse        | 4 ++++
 scripts/netbus-version.nse     | 6 +++++-
 4 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/scripts/netbus-auth-bypass.nse b/scripts/netbus-auth-bypass.nse
index d456ead37..94412a912 100644
--- a/scripts/netbus-auth-bypass.nse
+++ b/scripts/netbus-auth-bypass.nse
@@ -37,7 +37,11 @@ action = function( host, port )
     return
   end
   local buffer, _ = stdnse.make_buffer(socket, "\r")
-  buffer() --discard banner
+  _ = buffer()
+  if not (_ and _:match("^NetBus")) then
+    stdnse.debug1("Not NetBus")
+    return nil
+  end
 
   -- The first argument of Password is the super-login bit.
   -- On vulnerable servers any password will do as long as
diff --git a/scripts/netbus-brute.nse b/scripts/netbus-brute.nse
index 045f04d66..20ca594fd 100644
--- a/scripts/netbus-brute.nse
+++ b/scripts/netbus-brute.nse
@@ -35,6 +35,10 @@ action = function( host, port )
   end
   local buffer, err = stdnse.make_buffer(socket, "\r")
   local _ = buffer() --skip the banner
+  if not (_ and _:match("^NetBus")) then
+    stdnse.debug1("Not NetBus")
+    return nil
+  end
   for password in passwords do
     local foo = string.format("Password;0;%s\r", password)
     socket:send(foo)
diff --git a/scripts/netbus-info.nse b/scripts/netbus-info.nse
index e339384e8..5e0376de9 100644
--- a/scripts/netbus-info.nse
+++ b/scripts/netbus-info.nse
@@ -164,6 +164,10 @@ action = function( host, port )
   local status, err = socket:connect(host.ip, port.number)
   local buffer, err = stdnse.make_buffer(socket, "\r")
   local _ = buffer()
+  if not (_ and _:match("^NetBus")) then
+    stdnse.debug1("Not NetBus")
+    return nil
+  end
   socket:send(string.format("Password;1;%s\r", password))
   local gotin = buffer()
   if gotin == "Access;0" then
diff --git a/scripts/netbus-version.nse b/scripts/netbus-version.nse
index 945d72c18..ce72de0fb 100644
--- a/scripts/netbus-version.nse
+++ b/scripts/netbus-version.nse
@@ -30,7 +30,11 @@ action = function( host, port )
     return
   end
   local buffer, _ = stdnse.make_buffer(socket, "\r")
-  buffer() --discard banner
+  _ = buffer()
+  if not (_ and _:match("^NetBus")) then
+    stdnse.debug1("Not NetBus")
+    return nil
+  end
   socket:send("Password;0;\r")
 
   --NetBus answers to auth