Book Review, General, Info Sec 21-September-2016 .NetRussell No comments

Penetration Testing Series P6 – Metasploitless – VSFTPD Backdoor Script

I’ve leveled up again! This time with VSFTPD 2.3.4

You can download the tool here

Thanks to some cheeky engineer who decided to build a back door into VSFTPD, I get to work on my python a little more. This tool, just like the last is pretty simple. It was mainly written so I can harden my python skills and say that I understand one more exploit.

Opening the back door manually

Once the back door is triggered, a hidden shell is opened on up on the target machine’s port 6200.

As we can see here, prior to activating the back door port 6200 is closed.

 

To manually open the back door, all we need to do is FTP into the server normally with the credentials

Username=backdoor:)

Password=invalid

The FTP connection will appear to hang. Nothing can be done from this terminal now. We need to open a new one to continue.

If we nmap port 6200 again we can see that the port is now open.

 

Finally we can connect with netcat and start using shell commands.

 

 

Building the back door tool

Setup variables

The first thing we need to do is setup our credentials and get the target ip address. Next we new up our FTP connection with our target ip address.

Defining the back door trigger function

I had to put the ftp.login into a function so I can put it on a thread. I’ll explain why a background thread in the next section.

ftp.login takes our username and password. This initializes the connection.

 

Triggering the back door on a thread

I put the login on a separate thread. The reason is because when you call ftp.login it hangs. When it hangs you can’t do anything, to include opening the shell to the target server. So to work around this I open the ftp connection on a separate thread. Once this is done we sleep for two seconds in order to assure the connection was made. Finally we open the shell with netcat.

 

Final Result

Leave a Reply

Your email address will not be published. Required fields are marked *