--- Checks if a Microsoft FTP server allows anonymous logins + MKDIR --- If yes, could be vulnerable to the following exploit: --- http://seclists.org/fulldisclosure/2009/Aug/0443.html -- @output -- |_ FTP: IIS Server allow anonymous and mkdir (potentially vulnerable) -- -- @args ftpuser Alternate user to initiate the FTP session -- ftppass Alternate password to initiate the FTP session -- If no arguments are passed, anonymous FTP session is probed id="IIS FTP" description="Checks to see if a Microsoft ISS FTP server allows anonymous logins and MKDIR (based on anonftp.nse by Eddie Bell )" author = "Xavier Mertens " license = "Same as Nmap--See http://nmap.org/book/man-legal.html" categories = {"default", "auth", "intrusive"} require "shortport" local stdnse = require "stdnse" --- -- portrule = shortport.port_or_service(21, "ftp") portrule = function(host,port) if (port.number == 21 and (port.state == "open" or port.state == "open|filtered")) then return true else return false end end --- -- Connects to the ftp server and checks if the server allows -- anonymous logins or any credentials passed as arguments action = function(host, port) local socket = nmap.new_socket() local result local status = true local isAnon = false local err_catch = function() socket:close() end local try = nmap.new_try(err_catch()) socket:set_timeout(5000) try(socket:connect(host.ip, port.number, port.protocol)) if (type(nmap.registry.args.ftpuser) == "string" and nmap.registry.args.ftpuser ~= "" and type(nmap.registry.args.ftppass) == "string" and nmap.registry.args.ftppass ~= "") then local struser = "USER " .. nmap.registry.args.ftpuser .. "\r\n" local strpass = "PASS " .. nmap.registry.args.ftppass .. "\r\n" try(socket:send(struser)) try(socket:send(strpass)) else try(socket:send("USER anonymous\r\n")) try(socket:send("PASS IEUser@\r\n")) end while status do status, result = socket:receive_lines(1); if string.match(result, "^230") then try(socket:send("RSTATUS\r\n")) while status do status, result = socket:receive_lines(1); if string.match(result, "^211-Microsoft FTP Service") then try(socket:send("MKD w00t\r\n")) while status do status, result = socket:receive_lines(1); if string.match(result, "^257") then isVuln=true try(socket:send("RMDIR w00t\r\n")) break; end end end end end end socket:close() if(isVuln) then return "IIS Server allow anonymous and mkdir (potentially vulnerable)" end end