Last time, I explained how to install and use an FTP server. I used vsftpd in my environment.
Today, I would like to tell you about a vulnerability in vsftpd and show you how to exploit vsftpd 2.3.4.
Table of Contents
Vulnerability definition
According to Wikipedia, “Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by a threat actor, such as an attacker, to cross privilege boundaries (i.e. perform unauthorized actions) within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface.”
Exploit definition
Also according to Wikipedia, “An exploit (from the English verb to exploit, meaning “to use something to one’s own advantage”) is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized).[1] Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service (DoS or related DDoS) attack. In lay terms, some exploit is akin to a ‘hack’.”
1. Identifying the target
In my lab, I use Kali Linux for discovering the target. However, you can use any Linux distribution on which you have nmap installed.
nmap is a network exploration tool and security / port scanner. It is used for gathering information about a target.
I know already that my FTP server is running on a host with the IP address 192.168.1.180. So, I will run a nmap command similar to the below one:
sudo nmap -sV 192.168.1.180
2. Search through exploits
After I have identified the open ports on the target host and the running services, I will use a tool named SearchSploit.
SearchSploit allows you to search through exploits and shellcodes using one or more terms from Exploit-DB.
searchsploit vsftpd
As you can see I found a couple of exploits for vsftpd. My target FTP host is running vsftpd 2.3.4. So, I will use this exploit.
“This particular version contains a backdoor that was slipped into the source code by an unknown intruder. The backdoor was quickly identified and removed, but not before quite a few people downloaded it.” (https://docs.rapid7.com/metasploit/metasploitable-2-exploitability-guide)
You can download the Metasploitable2 and run/play in your own environment.
I will use the option mirror (-m), to copy the script in my local home folder.
searchsploit -m 49757.py
3. Run the exploit
As the last step, I will run the script. Do not forget to specify the IP address for the FTP server. Enter a command similar to the below one:
python3 49757.py 192.168.1.180
As you can see from the above image, the exploit was successful. I was able to open a shell on the target server and I am able to run different commands.
4. Exploit the target server using telnet
The same result can be achieved manually, by running telnet command.
First, you need to run the telnet command on port 21. You can use a command similar to this one:
telnet 192.168.1.180 21
After the connection was closed, run a second telnet command, now on port 6200.
telnet 192.168.1.180 6200
As you can see, I was able to open a remote shell and execute commands on the target FTP server. This is why it is imperative to check your system regularly and upgrade the OS and the software running on it to the latest version. These updates address bugs and improve the security of your host.
It seems that the exploit was successful. I hope you will find this post useful.
PS: If you liked the article, please leave your comment below.