Detecting Vulnerable IIS-FTP Hosts Using Nmap

Exploit Target
A new 0-day exploit for the FTP server included within the Microsoft IIS suite has been released today. Check the post on the Full Disclosure mailing list for more details.

Based on an existing Nmap script, I quickly wrote a new one which performs the following actions:

  • Check if anonymous sessions are allowed.
  • Check if the detected FTP server is running Microsoft ftpd.
  • Check if the MKDIR command is allowed (this seems to be required by the exploit)

If all those conditions are met, the script exits with a warning message. Note that my script will only report servers which could be vulnerable. On the other side, running a server with anonymous users able to create directories is a major security breach and must be fixed independently of the newly discovered vulnerability!

To use the Nmap script, copy it in your local script repositoty (something like /usr/local/share/nmap/scripts/) and rebuild your scripts index:

# nmap --script-updatedb

Then, the script will be executed against all detected FTP servers (using the “-Sc” argument) or you can specify only one script to be executed (for speed):

# nmap -p 21 -sV --script=IIS-FTP

Starting Nmap 4.76 ( ) at 2009-09-01 01:15 CEST
Interesting ports on test-win (
21/tcp open  ftp     Microsoft ftpd
|_ IIS FTP: IIS Server allow anonymous and mkdir (potentially vulnerable)
Service Info: OS: Windows

The script is available here. Note that it is provided “as is”. it’s just a quick hack which worked for me.

Maybe you were not aware of the Nmap scripting capabilities. Feel free to read this small introduction to Nmap scripting.