Scribd
Upload
49 views

Exploiting VSFTPD v2

This document discusses exploiting a backdoor in VSFTPD v2.3.4 on Metasploitable 2. The backdoor is triggered by a username containing a smiley face ":)" character combination, which opens a bind shell listener on port 6200 granting root access. The document shows the vulnerable source code, and demonstrates manually exploiting the backdoor by connecting to the FTP service and authenticating with a special username. It also shows exploiting the backdoor using Metasploit.

Uploaded by

laytonchetty27
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
49 views

Exploiting VSFTPD v2

This document discusses exploiting a backdoor in VSFTPD v2.3.4 on Metasploitable 2. The backdoor is triggered by a username containing a smiley face ":)" character combination, which opens a bind shell listener on port 6200 granting root access. The document shows the vulnerable source code, and demonstrates manually exploiting the backdoor by connecting to the FTP service and authenticating with a special username. It also shows exploiting the backdoor using Metasploit.

Uploaded by

laytonchetty27
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

Exploiting VSFTPD v2.3.

4 on Metasploitable 2

VSFTPD v2.3.4 vulnerabilities


From the vulnerability assessment we’ve learned that this version of VSFTPD might contain a backdoor
which has been created by an intruder. Although the backdoor was identified and removed quickly by
the developers, many people have downloaded and installed the backdoored version of VSFTPD. The
backdoor payload is initiated in response to a :) character combination in the username which
represents a smiley face. The code sets up a bind shell listener on port 6200.

VSFTPD v2.3.4 vulnerable source code

Let’s have a look at the source code of the vulnerable version of VSFTPD v2.3.4 to see what the
backdoor looks like in the source code. Surprisingly the source code has not been obfuscated in any
way so we can easily read it and see how it is working. There is a copy of the vulnerable code available
on Pastebin by using the following link: http://pastebin.com/AetT9sS5. The following code validates the
user input on the username:

0x3a = :
0x29 = )
Line 37 and 38 check for user input containing hexadecimal chars 0x3a followed by 0x29 which
represents the smiley face :) characters. When the username contains both characters the else if
statement executes the vsf_sysutil_extra function. Let’s have a look at this function.
The ‘struct sockaddr_in sa’ on line 79 is a structure containing an internet address named sa. The
structure is defined by the sin_family which is set to the constant AF_INET, sin_port (6200) and the
client address set to any on line 83, 84 and 85. The code to follow uses the structure to setup a bind
socket and a listener process to listen on the socket for incoming connections. Note that this code is
run in the server context, so the server is setting up the bind socket and listener which is used by the
remote attacker for setting up a connection. Line 94 presents a shell to anyone connecting to the server
on port 6200.

Exploiting VSFTPD v2.3.4 backdoor manually


In the next step we will try to exploit the backdoor vulnerability manually by connecting to the
Metasploitable 2 VSFTPD service and use a smiley as the username to authenticate. Assuming you
have the Metasploitable 2 virtual machine installed and running
, use the following command from your attack box:

telnet [Metasploitable IP] 21


Than type the following 2 commands:

USER user:)

PASS pass
Than use the escape character ^] or wait a few seconds. When we fire up nmap and scan for port
6200 we should see that the malicious code was executed and port 6200 is open:

Let’s connect to port 6200 using the following command:

telnet [Metasploitable IP] 6200

When we issue the id command followed by a semicolon (;) we can see that the FTP services was
running as root and we have a root shell on the box. Let’s see how we can exploit this backdoor
vulnerability by using the Metasploit Framework.

Exploiting VSFTPD v2.3.4 with Metasploit


The Metasploit Framework had an exploit available to exploit the VSFTPD v2.3.4 vulnerability. In this
part of the tutorial we will be exploiting VSFTPD v2.3.4 using Metasploit. Let’s start msfconsole with the
following command:

msfconsole
When msfconsole is running select the backdoor exploit using the following command:

use exploit/unix/ftp/vsftpd_234_backdoor
Type the following command to have a look at the exploit options:

Show options

We only need to set the rhost field to the Metasploitable 2 IP.

As we can see we only need to supply a remote host IP and a port which we leave to default on port
21. Now we can type run or exploit to exploit the target.

Root shell through Metasploit.

You might also like