Escaping Metasploit – vsFTPd 2.3.4
By Guy Nguyen-Phuoc on April 18, 2019
(By: Guy Nguyen-Phuoc on Apr 19, 2019)
Metasploit is a fantastic tool, whether it is out in the field or through learning the ropes of exploitation. Its streamlined process of well-known exploitation methods eases the burden of pentesters, cutting exploitation from 30-minute affairs to five minutes. However, in doing so many beginners who overly rely upon Metasploit lose critical foundational skills needed for pentesting. This series’ goal is to escape the Metasploit shell and reveal the wonderful inner workings of the exploitative process.
Open, on NAT, a Kali Linux VM and the Metasploitable 2 VM. Log into the metasploitable 2 VM and run ifconfig, as seen in Figure 1. Log down the IP address (inet addr) for later use.
On the Kali machine run the command, msfconsole. Once loaded give the command, search vsftpd 2.3.4.
Using the last exploit listed in Figure 2, select said exploit with command, use exploit/unix/ftp/vsftpd_234_backdoor. Shown in Figure 3.
The command, info, will provide intel on the exploit. Run the command, show options, to see what is missing from running this exploit. RHOSTS is missing, shown in Figure 4.
Using the IP address logged earlier from the Metasploitable 2 VM, run the command, set rhosts “IP address from Metasploitable 2”. Example in Figure 5.
Run the show options command to make sure the IP matches the Metasploitable 2 VM. If so, run the command run. Shown in Figure 6.
Figure 6 highlights the exploit working and the IP address matches the Metasploitable 2 VM with root to boot.
While exploiting this box with Metasploit was easy, it took away the core aspect of exploitation. In other words, using Metasploit only teaches you how to input data and press the right settings to exploit; a script kiddie. Like all tools it is important to understand what is happening before using an automated system.
The Manual Way
Restart the Metasploitable VM to ensure the ports act right. Once the VM has restarted, open a terminal and run this command telnet “IP address of metasploitable 2” 21. As shown in Figure 7.
Simply login with USER “some type of string”:), with the PASS “another string”. Escape using CTRL+] and press ENTER. Finally quit telnet. The red highlighted “smiley face” is essential for this exploit to work. See Figure 8 for help.
CONGRADULATIONS, you have just exploited vsFTPd 2.3.4. The trick was the “:)” or the “smiley face” which created a shell bound to the port 6200. Explanation of the exploit in STEP 4, for now connect to the shell. Run the command, nc “IP address of Metasploitable 2 VM” 6200. Figure 9 shows our connection with
Why it Works
vsFTPd stands for “Very Secure FTP Daemon”. Between June 30th, 2011 and July 1st, 2011, a backdoor was introduced into the master site of vsFTPd version 2.3[.]4.
  
On examining the “else if” section of C code, in Figure 10, you will find two hex numbers being compared to the p_buf[i] array. 0x3A & 0x29 are ascii characters for “:” & “)” respectively, the “smiley face”. The snippet of code loops through the array and checks the string the user entered while logging into the FTP server. If it finds the “smiley face” characters, in the correct order, it runs a function called vsf_sysutil_extra();, function
shown in Figure 11.
The vsf_sysutil_extra() function sets up a TCP socket listening on port 6200 that will spawn a shell when connected to said port.
While Metasploit is a great tool that streamlines the exploitation process it is a tool that should be used when you have a solid foundational understanding of exploitation. Taking the time to manually look at source code, reverse engineer and fuzz an application will only create a better pentester. In doing so one can achieve a higher level of knowledge and familiarity with exploits in general.
Exploitation is incredibly fun, and remember, the real dangers of Metasploit is its ability to stunt growth.
PS Feel free to look at the rest of the source code for vsftp 2.3.4 and try to find additional requirements needed for the exploit. In other words, do I just need a “:)”?
Source Code URL: https://github.com/nikdubois/vsftpd-2.3.4-infected
 vsftpd, “Probably the most secure and fastest FTP server for UNIX-like systems,” Jan. 2019.
 Archlinux, “Very Secure FTP Daemon.” Jan. 2019.
 Exploit Database, “vsftpd 2.3.4 – Backdoor Command Execution (Metasploit),” Jan. 2019. https://www.exploit-db.com/exploits/17491
 Sw3s# $sec, “Manual vsFTPd Vulnerability Exploitation,” July 2015.
 Security, “Alert: vsftpd download backdoored,” July 2011.
 xorl %eax, %eax, “vsftpd 2.3.4 Backdoor,” July 2011.
 Packt, “Vulnerability analysis of VSFTPD 2.3.4 backdoor,” Jan. 2019.