Add a BackOrifice service probe from Gorjan Petrovski.

2025-12-27 01:49:03 +00:00 · 2011-04-19 02:25:10 +00:00
parent 95bca0d2c7
commit dd22e26f43
2 changed files with 15 additions and 1 deletions
--- a/3
+++ b/3
@@ -1,5 +1,8 @@
 # Nmap Changelog ($Id$); -*-text-*-

+o Added a service probe for BackOrifice contributed by Gorjan
+  Petrovski.
+
 o Added a service probe for Zend Java Bridge, which is vulnerable if
  exposed to an untrusted network. It was contributed by Michael
  Schierl.
--- a/13
+++ b/13
@@ -10009,4 +10009,15 @@ rarity 9
 ports 10001

 match zend-java-bridge m|^\0\0\0\x15\x04\0\0\0\x10java\.lang\.String$|
-###################################################################
+
+##############################NEXT PROBE##############################
+# BackOrifice PING message, no password. The probe is the encryption of
+# "*!*QWTY?\x13\0\0\0\0\0\0\0\x01\0\0". Servers with a password set will
+# not reply.
+# http://web.cip.com.br/flaviovs/boproto.html
+Probe UDP BackOrifice q|\xCE\x63\xD1\xD2\x16\xE7\x13\xCF\x38\xA5\xA5\x86\xB2\x75\x4B\x99\xAA\x32\x58|
+ports 31337
+rarity 9
+
+# Encryption of "*!*QWTY?.........  !PONG!1.20!".
+match BackOrifice m|^\xCE\x63\xD1\xD2\x16\xE7\x13\xCF.........\x12\x78\xC4\xE3\xD6\xA6\x65\x51\x75\x51\xEB\x2A\x3F| p/BackOrifice trojan/ o/Windows/ v/1.20/ i/no password/