Escaping Metasploit – vsFTPd 2.3.4

(By: Guy Nguyen-Phuoc on Apr 19, 2019)

Introduction

Metasploit is a fantastic tool, whether it is out in the field or through learning the ropes of exploitation. Its streamlined process of well-known exploitation methods eases the burden of pentesters, cutting exploitation from 30-minute affairs to five minutes. However, in doing so many beginners who overly rely upon Metasploit lose critical foundational skills needed for pentesting. This series’ goal is to escape the Metasploit shell and reveal the wonderful inner workings of the exploitative process.

Logging IP

Open, on NAT, a Kali Linux VM and the Metasploitable 2 VM. Log into the metasploitable 2 VM and run ifconfig, as seen in Figure 1. Log down the IP address (inet addr) for later use.

Running ifconfig command

Using Metasploit

Step 1

On the Kali machine run the command, msfconsole. Once loaded give the command, search vsftpd 2.3.4.

Searching for exploit module in Metasploit

Step 2

Using the last exploit listed in Figure 2, select said exploit with command, use exploit/unix/ftp/vsftpd_234_backdoor. Shown in Figure 3.

Setting exploit module in Metasploit

Step 3

The command, info, will provide intel on the exploit. Run the command, show options, to see what is missing from running this exploit. RHOSTS is missing, shown in Figure 4.

Show options command on Metasploit

Step 4

Using the IP address logged earlier from the Metasploitable 2 VM, run the command, set rhosts “IP address from Metasploitable 2”. Example in Figure 5.

Setting rhost IP using Metasploit

Step 5

Run the show options command to make sure the IP matches the Metasploitable 2 VM. If so, run the command run. Shown in Figure 6.

Running Metasploit command on Kali Linux

Figure 6 highlights the exploit working and the IP address matches the Metasploitable 2 VM with root to boot.

Part 6

While exploiting this box with Metasploit was easy, it took away the core aspect of exploitation. In other words, using Metasploit only teaches you how to input data and press the right settings to exploit; a script kiddie. Like all tools it is important to understand what is happening before using an automated system.

The Manual Way

Step 1

Restart the Metasploitable VM to ensure the ports act right. Once the VM has restarted, open a terminal and run this command telnet “IP address of metasploitable 2” 21. As shown in Figure 7.

Connecting through telnet on Kali Linux

Step 2

Simply login with USER “some type of string”:), with the PASS “another string”. Escape using CTRL+] and press ENTER. Finally quit telnet. The red highlighted “smiley face” is essential for this exploit to work. See Figure 8 for help.

Connecting through telnet on Kali Linux

Step 3

CONGRADULATIONS, you have just exploited vsFTPd 2.3.4. The trick was the “:)” or the “smiley face” which created a shell bound to the port 6200. Explanation of the exploit in STEP 4, for now connect to the shell. Run the command, nc “IP address of Metasploitable 2 VM” 6200. Figure 9 shows our connection with
root access!

Netcat scan in Kali Linux

Why it Works

vsFTPd stands for “Very Secure FTP Daemon”. Between June 30th, 2011 and July 1st, 2011, a backdoor was introduced into the master site of vsFTPd version 2.3[.]4.

[3] [4] [5]

Code snippet

On examining the “else if” section of C code, in Figure 10, you will find two hex numbers being compared to the p_buf[i] array. 0x3A & 0x29 are ascii characters for “:” & “)” respectively, the “smiley face”. The snippet of code loops through the array and checks the string the user entered while logging into the FTP server. If it finds the “smiley face” characters, in the correct order, it runs a function called vsf_sysutil_extra();, function

shown in Figure 11.

Code snippet

The vsf_sysutil_extra() function sets up a TCP socket listening on port 6200 that will spawn a shell when connected to said port.
[6] [7]

Conclusion

While Metasploit is a great tool that streamlines the exploitation process it is a tool that should be used when you have a solid foundational understanding of exploitation. Taking the time to manually look at source code, reverse engineer and fuzz an application will only create a better pentester. In doing so one can achieve a higher level of knowledge and familiarity with exploits in general.

Exploitation is incredibly fun, and remember, the real dangers of Metasploit is its ability to stunt growth.

PS Feel free to look at the rest of the source code for vsftp 2.3.4 and try to find additional requirements needed for the exploit. In other words, do I just need a “:)”?

Source Code URL: https://github.com/nikdubois/vsftpd-2.3.4-infected

References

[1] vsftpd, “Probably the most secure and fastest FTP server for UNIX-like systems,” Jan. 2019.
https://security.appspot.com/vsftpd.html

[2] Archlinux, “Very Secure FTP Daemon.” Jan. 2019.
https://wiki.archlinux.org/index.php/Very_Secure_FTP_Daemon

[3] Exploit Database, “vsftpd 2.3.4 – Backdoor Command Execution (Metasploit),” Jan. 2019. https://www.exploit-db.com/exploits/17491

[4] Sw3s# $sec, “Manual vsFTPd Vulnerability Exploitation,” July 2015.
https://sweshsec.wordpress.com/2015/07/31/vsftpd-vulnerability-exploitation-with-manual-approach/

[5] Security, “Alert: vsftpd download backdoored,” July 2011.
https://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html

[6] xorl %eax, %eax, “vsftpd 2.3.4 Backdoor,” July 2011.
https://xorl.wordpress.com/2011/07/05/vsftpd-2-3-4-backdoor/

[7] Packt, “Vulnerability analysis of VSFTPD 2.3.4 backdoor,” Jan. 2019.
https://subscription.packtpub.com/book/networking_and_servers/9781786463166/1/ch01lvl1sec18/vulnerability-analysis-of-vsftpd-2-3-4-backdoor