https://t.me/RX1948
Server : Apache/2.4.18 (Ubuntu)
System : Linux canvaswebdesign 3.13.0-71-generic #114-Ubuntu SMP Tue Dec 1 02:34:22 UTC 2015 x86_64
User : oppastar ( 1041)
PHP Version : 7.0.33-0ubuntu0.16.04.15
Disable Function : pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,
Directory :  /usr/share/nmap/scripts/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Current File : //usr/share/nmap/scripts/ftp-libopie.nse
local nmap = require "nmap"
local shortport = require "shortport"
local string = require "string"
local vulns = require "vulns"

description = [[
Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow),
a vulnerability discovered by Maksymilian Arciemowicz and Adam "pi3" Zabrocki.
See the advisory at https://nmap.org/r/fbsd-sa-opie.
Be advised that, if launched against a vulnerable host, this script will crash the FTPd.
]]

---
-- @output
-- PORT   STATE SERVICE
-- 21/tcp open  ftp
-- | ftp-libopie:
-- |   VULNERABLE:
-- |   OPIE off-by-one stack overflow
-- |     State: LIKELY VULNERABLE
-- |     IDs:  CVE:CVE-2010-1938  OSVDB:64949
-- |     Risk factor: High  CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
-- |     Description:
-- |       An off-by-one error in OPIE library 2.4.1-test1 and earlier, allows remote
-- |       attackers to cause a denial of service or possibly execute arbitrary code
-- |       via a long username.
-- |     Disclosure date: 2010-05-27
-- |     References:
-- |       http://osvdb.org/64949
-- |       http://site.pi3.com.pl/adv/libopie-adv.txt
-- |       http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc
-- |_      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1938
--


author = "Ange Gutek"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln","intrusive"}


portrule = shortport.port_or_service(21, "ftp")

action = function(host, port)
  local opie_vuln = {
    title = "OPIE off-by-one stack overflow",
    IDS = {CVE = 'CVE-2010-1938', OSVDB = '64949'},
    risk_factor = "High",
    scores = {
      CVSSv2 = "9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)",
    },
    description = [[
An off-by-one error in OPIE library 2.4.1-test1 and earlier, allows remote
attackers to cause a denial of service or possibly execute arbitrary code
via a long username.]],
    references = {
      'http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc',
      'http://site.pi3.com.pl/adv/libopie-adv.txt',
    },
    dates = {
      disclosure = {year = '2010', month = '05', day = '27'},
    },
  }

  local report = vulns.Report:new(SCRIPT_NAME, host, port)

  local socket = nmap.new_socket()
  local result
  -- If we use more that 31 chars for username, ftpd will crash (quoted from the advisory).
  local user_account = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  local status = true

  local err_catch = function()
    socket:close()
  end

  local try = nmap.new_try(err_catch)

  socket:set_timeout(10000)
  try(socket:connect(host, port))

  -- First, try a safe User so that we are sure that everything is ok
  local payload = "USER opie\r\n"
  try(socket:send(payload))

  status, result = socket:receive_lines(1);
  if status and not (string.match(result,"^421")) then

    -- Second, try the vulnerable user account
    local payload = "USER " .. user_account .. "\r\n"
    try(socket:send(payload))

    status, result = socket:receive_lines(1);
    if status then
      opie_vuln.state = vulns.STATE.NOT_VULN
    else
      -- if the server does not answer anymore we may have reached a stack overflow condition
      opie_vuln.state = vulns.STATE.LIKELY_VULN
    end
  end
  return report:make_output(opie_vuln)
end

https://t.me/RX1948 - 2025