API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Aug 23rd, 2017
490
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.64 KB | None | 0 0
raw download clone embed print report
  1. --- Checks if a Microsoft FTP server allows anonymous logins + MKDIR
  2. --- If yes, could be vulnerable to the following exploit:
  3. --- http://seclists.org/fulldisclosure/2009/Aug/0443.html
  4. -- @output
  5. -- |_ FTP: IIS Server allow anonymous and mkdir (potentially vulnerable)
  6. --
  7. -- @args ftpuser Alternate user to initiate the FTP session
  8. -- ftppass Alternate password to initiate the FTP session
  9. -- If no arguments are passed, anonymous FTP session is probed
  10.  
  11. id="IIS FTP"
  12. description="Checks to see if a Microsoft ISS FTP server allows anonymous logins and MKDIR (based on anonftp.nse by Eddie Bell <ejlbell@gmail.com>)"
  13. author = "Xavier Mertens <xavier@rooshell.be>"
  14. license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
  15. categories = {"default", "auth", "intrusive"}
  16.  
  17. require "shortport"
  18. local stdnse = require "stdnse"
  19. ---
  20. -- portrule = shortport.port_or_service(21, "ftp")
  21. portrule = function(host,port)
  22. if (port.number == 21 and
  23. (port.state == "open" or port.state == "open|filtered"))
  24. then
  25. return true
  26. else
  27. return false
  28. end
  29. end
  30.  
  31. ---
  32. -- Connects to the ftp server and checks if the server allows
  33. -- anonymous logins or any credentials passed as arguments
  34. action = function(host, port)
  35. local socket = nmap.new_socket()
  36. local result
  37. local status = true
  38. local isAnon = false
  39.  
  40. local err_catch = function()
  41. socket:close()
  42. end
  43.  
  44. local try = nmap.new_try(err_catch())
  45.  
  46. socket:set_timeout(5000)
  47. try(socket:connect(host.ip, port.number, port.protocol))
  48.  
  49. if (type(nmap.registry.args.ftpuser) == "string" and nmap.registry.args.ftpuser ~= "" and
  50. type(nmap.registry.args.ftppass) == "string" and nmap.registry.args.ftppass ~= "")
  51. then
  52. local struser = "USER " .. nmap.registry.args.ftpuser .. "\r\n"
  53. local strpass = "PASS " .. nmap.registry.args.ftppass .. "\r\n"
  54. try(socket:send(struser))
  55. try(socket:send(strpass))
  56. else
  57. try(socket:send("USER anonymous\r\n"))
  58. try(socket:send("PASS IEUser@\r\n"))
  59. end
  60.  
  61. while status do
  62. status, result = socket:receive_lines(1);
  63. if string.match(result, "^230") then
  64. try(socket:send("RSTATUS\r\n"))
  65. while status do
  66. status, result = socket:receive_lines(1);
  67. if string.match(result, "^211-Microsoft FTP Service") then
  68. try(socket:send("MKD w00t\r\n"))
  69. while status do
  70. status, result = socket:receive_lines(1);
  71. if string.match(result, "^257") then
  72. isVuln=true
  73. try(socket:send("RMDIR w00t\r\n"))
  74. break;
  75. end
  76. end
  77. end
  78. end
  79. end
  80. end
  81.  
  82. socket:close()
  83.  
  84. if(isVuln) then
  85. return "IIS Server allow anonymous and mkdir (potentially vulnerable)"
  86. end
  87. end
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!