Based on an existing Nmap script, I quickly wrote a new one which performs the following actions:
* Check if anonymous sessions are allowed.
* Check if the detected FTP server is running Microsoft ftpd.
* Check if the MKDIR command is allowed (this seems to be required by the exploit)
If all those conditions are met, the script exits with a warning message. Note that my script will only report servers which could be vulnerable. On the other side, running a server with anonymous users able to create directories is a major security breach and must be fixed independently of the newly discovered vulnerability!
To use the Nmap script, copy it in your local script repositoty (something like /usr/local/share/nmap/scripts/) and rebuild your scripts index:
# nmap --script-updatedb
Then, the script will be executed against all detected FTP servers (using the “-Sc” argument) or you can specify only one script to be executed (for speed):
# nmap -p 21 -sV --script=IIS-FTP 10.0.0.7
Starting Nmap 4.76 ( http://nmap.org ) at 2009-09-01 01:15 CEST
Interesting ports on test-win (10.0.0.7):
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ IIS FTP: IIS Server allow anonymous and mkdir (potentially vulnerable)
Service Info: OS: Windows
The script is available here. Note that it is provided “as is”. it’s just a quick hack which worked for me.
Maybe you were not aware of the Nmap scripting capabilities. Feel free to read this small introduction to Nmap scripting.
Reference:
http://blog.rootshell.be/2009/09/01/detecting-vulnerable-iis-ftp-hosts-using-nmap/
