Vsftpd 3.0.3 Exploit BETTER
Perla Hockins
The Exploit Database is a CVE compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Our aim is to serve the most comprehensive collection of exploits gathered through direct submissions, mailing lists, as well as other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away.
Technical details for over 180,000 vulnerabilities and 4,000 exploits are available for security professionals and researchers to review. These vulnerabilities are utilized by our vulnerability management tool InsightVM. The exploits are all included in the Metasploit framework and utilized by our penetration testing tool, Metasploit Pro. Our vulnerability and exploit database is updated frequently and contains the most recent security research.
After gaining enough knowledge about the vulnerability, let us now exploit the target system. Let us see what options we need to set before firing the exploit onto the target. We can do this by running the show options command, as shown following:
Next, we can check for the matching payloads via the show payloads command to see what payloads are suitable for this particular exploit module. We can see only a single payload, which is cmd/unix/interact. We can use this payload using the set payload cmd/unix/interact command.
We can download the file via the wget command, as shown in the preceding screenshot. Now, in order to allow the victim system to communicate with Metasploit, we need to set up an exploit handler on our system. The handler will allow communication between the target and Metasploit using the same port and payload we used in the backdoor.elf file.
We issue use exploit/multi/handler on a separate terminal in Metasploit and set the payload type as linux/x86/meterpreter/reverse_tcp. Next, we set the listening port via set LPORT 4444 and LHOST as our local IP address. We can now run the module using the exploit command and wait for the incoming connections.
Providing the 777 permission will grant all the relevant read, write, and execute permissions on the file. Execute the file, and now switch to the other terminal, which is running our exploit handler:
Running the ifconfig command on the target, we see pretty interesting information, such as an additional network interface, which may lead us to the internal network on which the internal systems may reside. We run the arp command on the target and check if there are some systems already connected or were connected to the exploited system from the internal network, as shown in the following screenshot:
We can clearly see an additional system with the IP address 192.168.20.4 on the internal network. Approaching the internal network, we need to set up pivoting on the exploited machine using the autoroute command:
In a nutshell, the vsftpd vulnerability was introduced for 2 days when the version 2.3.4 downloadable from the master site had been compromised by an unknown attacker who proceeded to upload a version of vsftpd with a backdoor. With said version, users were able to issue a ":)" smiley face as the username and gain a command shell on port 6200.
I was hoping someone could explain or direct me to a resource(s) that explains VSFTPD (and perhaps the exploit) in depth and technically. I have been searching a lot to find answers with little success.
Pico is right. You could just log in with a normal FTP client and type the credentials. Some hackers broke into vsftpd and updated the binary on the download page. And thus lots of people updated and downloaded the hacked version of vsftpd.
In the upcoming Metasploitable 2 exploitation tutorials we will be exploiting the vulnerabilities we have found in the enumeration phase and the vulnerability assessment. We will be exploiting the found vulnerabilities both manually if that is possible and by using Metasploit. In this tutorial we will be exploiting VSFTPD v2.3.4 manually and with Metasploit. This particular VSFTPD exploit is pretty easy to exploit and is a great first start on the Metasploitable 2 box. Instead of quickly running Metasploit to exploit this vulnerability we will start looking at how the application is exactly vulnerable. Than we will analyse the source code, test it in a controlled environment and then exploit it on the Metasploitable 2 machine. This will help you to get a better understanding of the exploitation process and actually see what is happening and how.
In the next step we will try to exploit the backdoor vulnerability manually by connecting to the Metasploitable 2 VSFTPD service and use a smiley as the username to authenticate. Assuming you have the Metasploitable 2 virtual machine installed and running
In this tutorial we have exploited a vulnerability in VSFTPD v2.3.4 both manually with telnet and with Metasploit. We have analysed the vulnerable source code and learned how the backdoor was coded and how it functions. The VSFTPD v2.3.4 service was running as root which gave us a root shell on the box. It is very unlikely you will ever encounter this vulnerability in a live situation because this version of VSFTPD is old nowadays and the vulnerable version was only available for one day. Nevertheless we can still learn a lot about backdoors, bind shells and exploitation from this easy example.
I have learned metasploitable 2 article. All were good and I want to learn how to modify the exploit and run against the target i have seen lots of websites but not able to found accurately. could you help me and suggest where should i study. I am seeking your positive response. I have already post related to this but did not find answer.
I ran into this problem just now on Lame as well and was able to figure it out. My guess is the actual exploit itself has changed since the walkthroughs were written, or else maybe my metasploit somehow was different.
I am having a similar issue with Lame. Everyone keeps saying make sure to set the payload within the exploit which I keep trying to do, there are quite a few meterpreter payloads and ive tried most of the Linux meterpreter payloads but it is not letting me set it as there is a some sort of error I get when I try to set it.
Tests for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04(CVE-2011-2523). This script attempts to exploit the backdoor using theinnocuous id command by default, but that can be changed withthe exploit.cmd or ftp-vsftpd-backdoor.cmd scriptarguments.
- -vsftpd-download-backdoored.html
- -framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb
- -bin/cvekey.cgi?keyword=CVE-2011-2523
It was discovered that vsftpd was vulnerable to the ALPACA TLS protocol
content confusion attack. A remote attacker could possibly use this issue
to redirect traffic from one subdomain to another.
As you can see, the script gives me a lot of information. It tells me that the service running on port 21 is Vulnerable, it also gives me the OSVBD id and the CVE id, as well as the type of exploit. This is very useful when finding vulnerabilities because I can plan an attack, but also, I can see the exact issue that was not patched and how to exploit it.
I decided to go with the first vulnerable port. As the information tells us from the Nmap vulnerability scan, by exploiting the vulnerability, we can gain access to the server by creating a backdoor. I decided to find details on the vulnerability before exploiting it. I followed the blog link in the Nmap results for scarybeastsecurity and was able to find some information about the vulnerability. From reading the documentation, I learned that vsFTPd server is written in the C programming language, also that the server can be exploited by entering a : ) smiley face in the username section, and a TCP callback shell is attempted.
I was left with one more thing. I wanted to learn how to exploit this vulnerability manually. So I tried it, and I sort of failed. First, I decided to use telnet to enter into the system which worked fine, but then I ran into some issues. I assumed that the username could be a smiley face; however, after searching on the web, I found out I needed to have a smiley face after the user parameter.
In conclusion, I was able to exploit one of the vulnerabilities in Metasploitable2. Next, I will look at some of the websites offered by Metasploitable, and look at other vulnerabilities in the server.
As far as I know there is no as such serious exploit for vsFTPD version 2.0.5 which would allow an attacker to gain access or allow arbitrary code execution, instead I would suggest you to check if this service some how helps attackers to gain juicy information.
Enumerate users, in old ftp versions I have noticed the anonymous accounts are enabled, when you login using anonymous accounts the ftp daemon sometimes leak's original application version and check if that version is vulnerable to any exploit, also check if any other such accounts are working or any other accounts are having weak passwords which can be bruteforced easily.
In July 2011, it was discovered that vsftpd version 2.3.4 downloadable from the master site had been compromised. Users logging into a compromised vsftpd-2.3.4 server may issue a ":)" smileyface as the username and gain a command shell on port 6200. This was not an issue of a security hole in vsftpd, instead, someone had uploaded a different version of vsftpd which contained a backdoor. Since then, the site was moved to Google App Engine.
df19127ead