nc -nv TARGET_IP 6200 whoami
Ensure your VSFTPD version is higher than 2.3.4, or patch it utilizing your distribution's package manager ( apt-get install vsftpd or yum update vsftpd ).
# Receive the response from the server response = s.recv(1024).decode()
In July 2011, an unknown attacker compromised the master download server for VSFTPD. They replaced the legitimate source code archive for version 2.3.4 with a malicious version. vsftpd 208 exploit github link
Here are some additional steps that can be taken to secure the FTP server:
If you are here for the exploit code, below are the for the vsftpd 2.3.4 backdoor:
In the background, port 6200 opens on the target machine. The attacker establishes a new connection to port 6200 (using standard tools like Netcat) and is instantly greeted with a root shell prompt. 3. Finding VSFTPD 2.3.4 Exploits on GitHub nc -nv TARGET_IP 6200 whoami Ensure your VSFTPD
The malicious code was hidden in the str_alloc_strdup function. The injection looked for specific input patterns within the username field during the FTP authentication process.
: Ruby scripts designed to integrate with the Metasploit Framework ( exploit/unix/ftp/vsftpd_234_backdoor ).
If successful, you'll see a root shell. Commands like id will confirm you have root access, meaning a complete compromise of the system. Here are some additional steps that can be
Upgrade to the latest stable version of VSFTPD provided by your distribution’s package manager:
ftp 192.168.1.160
The exploit is remarkably elegant in its simplicity. When a user connects to the compromised FTP service, the daemon listens normally to incoming login credentials. However, the malicious code scans the provided username string.