In the upcoming Metasploitable 2 exploitation tutorials we can be exploiting the vulnerabilities we’ve discovered within the enumeration section and the vulnerability evaluation. We can be exploiting the discovered vulnerabilities each manually if that’s potential and through the use of Metasploit. In this tutorial we can be exploiting VSFTPD v2.3.4 manually and with Metasploit. This specific VSFTPD exploit is fairly simple to use and is a good first begin on the Metasploitable 2 field. Instead of rapidly operating Metasploit to use this vulnerability we are going to begin how the applying is strictly weak. Than we are going to analyse the supply code, check it in a managed setting after which exploit it on the Metasploitable 2 machine. This will assist you to to get a greater understanding of the exploitation course of and really see what is occurring and the way.

The finish objective of exploiting vulnerabilities is in the end to achieve a root or administrator shell on the goal host and carry out publish exploitation on the machine. The gained privilege degree of a shell is normally within the context of the exploited software. For instance if VSFTPD v2.3.4 is operating in root context and executes shellcode with a reverse shell, than the reverse shell can also be operating in root context. Often this isn’t the case and system directors run companies and software program below privileged accounts with no extra privileges than strictly obligatory. When an exploited service runs shellcode below a privileged account than the shell is in the identical privileged context. If a low privileged shell is returned than privilege escalation strategies are essential to elevate the shell to an administrator shell. Let’s see if we will exploit VSFTPD v2.3.4 on Metasploitable 2 and acquire root shell to the Metasploitable 2 machine.

VSFTPD v2.3.4 vulnerabilities

From the vulnerability evaluation we’ve discovered that this model of VSFTPD would possibly comprise a backdoor which has been created by an intruder. Although the backdoor was recognized and eliminated rapidly by the builders, many individuals have downloaded and put in the backdoored model of VSFTPD. The backdoor payload is initiated in response to a 🙂 character mixture within the username which represents a smiley face. The code units up a bind shell listener on port 6200.

VSFTPD v2.3.4 weak supply code

Let’s take a look on the supply code of the weak model of VSFTPD v2.3.4 to see what the backdoor seems to be like within the supply code. Surprisingly the supply code has not been obfuscated in any method so we will simply learn it and see how it’s working. There is a replica of the weak code accessible on Pastebin through the use of the next link: http://pastebin.com/AetT9sS5. The following code validates the consumer enter on the username:

Exploiting VSFTPD v2.3.4 - backdoor code 1

Line 37 and 38 verify for consumer enter containing hexadecimal chars 0x3a adopted by 0x29 which represents the smiley face 🙂 characters. When the username incorporates each characters the else if assertion executes the vsf_sysutil_extra operate. Let’s take a look at this operate.

Exploiting VSFTPD v2.3.4 - backdoor function code 2

The ‘struct sockaddr_in sa’ on line 79 is a construction containing an web deal with named sa. The construction is outlined by the sin_family which is ready to the fixed AF_INET, sin_port (6200) and the shopper deal with set to any on line 83, 84 and 85. The code to observe makes use of the construction to setup a bind socket and a listener course of to pay attention on the socket for incoming connections. Note that this code is run within the server context, so the server is organising the bind socket and listener which is utilized by the distant attacker for organising a connection. Line 94 presents a shell to anybody connecting to the server on port 6200.

Exploiting VSFTPD v2.3.4 backdoor manually

In the subsequent step we are going to attempt to exploit the backdoor vulnerability manually by connecting to the Metasploitable 2 VSFTPD service and use a smiley because the username to authenticate. Assuming you might have the Metasploitable 2 digital machine put in and operating

, use the next command out of your assault field:

telnet [Metasploitable IP] 21

Than kind the next 2 instructions:

USER consumer:)

PASS cross

Than use the escape character ^] or wait a couple of seconds. When we fireplace up nmap and scan for port 6200 we must always see that the malicious code was executed and port 6200 is open:

nmap scan VDFTPD port 6200

Let’s connect with port 6200 utilizing the next command:

telnet [Metasploitable IP] 6200

nmap scan VDFTPD port 6200 root shell

When we problem the id command adopted by a semicolon (;) we will see that the FTP companies was operating as root and we’ve a root shell on the field. Let’s see how we will exploit this backdoor vulnerability through the use of the Metasploit Framework.

Exploiting VSFTPD v2.3.4 with Metasploit

The Metasploit Framework had an exploit accessible to use the VSFTPD v2.3.4 vulnerability. In this a part of the tutorial we can be exploiting VSFTPD v2.3.4 utilizing Metasploit. Let’s begin msfconsole with the next command:

msfconsole

When msfconsole is operating choose the backdoor exploit utilizing the next command:

use exploit/unix/ftp/vsftpd_234_backdoor

Type the next command to take a look on the exploit choices:

Show choices

Metasploit - exploiting VSFTPD 2

We solely have to set the rhost area to the Metasploitable 2 IP.

As we will see we solely want to produce a distant host IP and a port which we depart to default on port 21. Now we will kind run or exploit to use the goal.

Metasploit - exploiting VSFTPD 1

Root shell via Metasploit.

Summary

In this tutorial we’ve exploited a vulnerability in VSFTPD v2.3.4 each manually with telnet and with Metasploit. We have analysed the weak supply code and discovered how the backdoor was coded and the way it capabilities. The VSFTPD v2.3.4 service was operating as root which gave us a root shell on the field. It may be very unlikely you’ll ever encounter this vulnerability in a stay state of affairs as a result of this model of VSFTPD is previous these days and the weak model was solely accessible for someday. Nevertheless we will nonetheless study lots about backdoors, bind shells and exploitation from this simple instance.


Note: Use Virtual Machine and scan on VirusTotal before downloading any program on Host Machine for your privacy.