Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- --- Checks if a Microsoft FTP server allows anonymous logins + MKDIR
- --- If yes, could be vulnerable to the following exploit:
- --- http://seclists.org/fulldisclosure/2009/Aug/0443.html
- -- @output
- -- |_ FTP: IIS Server allow anonymous and mkdir (potentially vulnerable)
- --
- -- @args ftpuser Alternate user to initiate the FTP session
- -- ftppass Alternate password to initiate the FTP session
- -- If no arguments are passed, anonymous FTP session is probed
- id="IIS FTP"
- description="Checks to see if a Microsoft ISS FTP server allows anonymous logins and MKDIR (based on anonftp.nse by Eddie Bell <ejlbell@gmail.com>)"
- author = "Xavier Mertens <xavier@rooshell.be>"
- license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
- categories = {"default", "auth", "intrusive"}
- require "shortport"
- local stdnse = require "stdnse"
- ---
- -- portrule = shortport.port_or_service(21, "ftp")
- portrule = function(host,port)
- if (port.number == 21 and
- (port.state == "open" or port.state == "open|filtered"))
- then
- return true
- else
- return false
- end
- end
- ---
- -- Connects to the ftp server and checks if the server allows
- -- anonymous logins or any credentials passed as arguments
- action = function(host, port)
- local socket = nmap.new_socket()
- local result
- local status = true
- local isAnon = false
- local err_catch = function()
- socket:close()
- end
- local try = nmap.new_try(err_catch())
- socket:set_timeout(5000)
- try(socket:connect(host.ip, port.number, port.protocol))
- if (type(nmap.registry.args.ftpuser) == "string" and nmap.registry.args.ftpuser ~= "" and
- type(nmap.registry.args.ftppass) == "string" and nmap.registry.args.ftppass ~= "")
- then
- local struser = "USER " .. nmap.registry.args.ftpuser .. "\r\n"
- local strpass = "PASS " .. nmap.registry.args.ftppass .. "\r\n"
- try(socket:send(struser))
- try(socket:send(strpass))
- else
- try(socket:send("USER anonymous\r\n"))
- try(socket:send("PASS IEUser@\r\n"))
- end
- while status do
- status, result = socket:receive_lines(1);
- if string.match(result, "^230") then
- try(socket:send("RSTATUS\r\n"))
- while status do
- status, result = socket:receive_lines(1);
- if string.match(result, "^211-Microsoft FTP Service") then
- try(socket:send("MKD w00t\r\n"))
- while status do
- status, result = socket:receive_lines(1);
- if string.match(result, "^257") then
- isVuln=true
- try(socket:send("RMDIR w00t\r\n"))
- break;
- end
- end
- end
- end
- end
- end
- socket:close()
- if(isVuln) then
- return "IIS Server allow anonymous and mkdir (potentially vulnerable)"
- end
- end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement