PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2026-01-02 12:59:02 +00:00
Code Issues Projects Releases Wiki Activity

o [NSE] Updated ftp-vsftpd-backdoor documentation since CVE-2011-2523 was just

Browse Source 
assigned to this backdoor.
  Added a final 'exit' command to terminate the remote '/bin/sh', however I don't
  think that this is necessary since the backdoor was very simple: it did not
  fork(), and closing the stdin of the '/bin/sh' will terminate it.
This commit is contained in:
djalal
2011-07-11 19:28:02 +00:00
parent c098d5e679
commit bd78274b20
1 changed files with 9 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
scripts/ftp-vsftpd-backdoor.nse
View File

@@ -1,13 +1,14 @@
description = [[
Tests for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04. This
script attempts to exploit the backdoor using the innocuous <code>id</code>
command by default, but that can be changed with the
<code>exploit.cmd</code> or <code>ftp-vsftpd-backdoor.cmd</code> script
Tests for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04
(CVE-2011-2523). This script attempts to exploit the backdoor using the
innocuous <code>id</code> command by default, but that can be changed with
the <code>exploit.cmd</code> or <code>ftp-vsftpd-backdoor.cmd</code> script
arguments.
References:
* http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
* https://dev.metasploit.com/redmine/projects/framework/repository/revisions/13093
* http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2011-2523
]]
---
@@ -21,7 +22,7 @@ References:
-- PORT STATE SERVICE
-- 21/tcp open ftp
-- | ftp-vsftpd-backdoor:
-- | This installation has been backdoored: VULNERABLE
-- | This installation has been backdoored (CVE-2011-2523): VULNERABLE
-- | Shell command: id
-- |_ Results: uid=0(root) gid=0(root) groups=0(root)
@@ -97,6 +98,8 @@ local function check_backdoor(host, shell_cmd)
string.format("failed to read shell commands results: %s",
ret))
end
else
socket:send("exit\n");
end
end
@@ -109,7 +112,7 @@ action = function(host, port)
stdnse.get_script_args("exploit.cmd") or CMD_SHELL_ID
local results = {
"This installation has been backdoored: VULNERABLE",
"This installation has been backdoored (CVE-2011-2523): VULNERABLE",
" Shell command: " .. cmd,
}