VSFTP – TCP 21

VSFTPD 2.3.4 – Exploit with Metasploit
Port: TCP 21
Service: VSFTPD 2.3.4

Vulnerability: In VSFTP 2.3.4, a malicious backdoor was inserted into the software download archive, and was active between June 30th – July 1st, 2011. A user could login to a host running this compromised version, enter a smiley face “: ) ” as the username, and gain a remote shell on port 6200

Mitigation: Upgrade to the latest version from vendor’s website – https://security.appspot.com/vsftpd.html . Always be sure to download software from trusted sources, and verify with checksums if available.

Proof of Concept
1. In Kali, open a terminal session, and launch Metasploit by typing in ‘msfconsole’. Once Metasploit loads, perform a search for ‘vsftp’.

metasploit-vsftp-search

2. Set Metasploit to use this exploit

metasploit-vsftp-useexploit

3. Show options for the exploit

metasploit-vsftp-showoptions

4. Set the RHOST option to the IP address of your Metasploitable VM

metasploit-vsftp-setrhost

5. Type in ‘exploit’ to run the exploit against Metasploitable

metasploit-vsftp-exploit

6. You now have a command shell open. Type in some basic commands to verify it’s working correctly

metasploit-vsftp-shell-basiccommands

7. Since you’re running as ‘root’, you should be able to access the ‘/etc/shadow’ file. Here, I’m using ‘grep’ to return the lines showing users and password hashes

metasploit-vsftp-shadowfile

Working with hashes
So, now you have retrieved the password hashes, but what’s next? One thing you could do is try to crack the passwords. Kali has a couple of tools to assist with this process.

In order to run a password cracking program, you may need to find out what type of hash you have. Kali has a tool called “Hash-Identifier”, which can be called from the command line. Simply open the program, and paste in one of your hashes to reveal its type:

vsftp-hashidentifier

Here, it tells us the hash type is MD5. We can use that information for the password cracker. The one we’re going to use here is the GUI version of John The Ripper called, Johnny. In Kali, it’s located here:

kali-johnny-location

You will need to create a file that contains the usernames and password hashes from the shadow file. The contents of the file need to be in the following format:

user:hash

For this exercise, I only copied the ‘msfadmin’ user and hash to the file, but you can enter each of the users from the shadow file. Be sure each user:hash combo is on a separate line. Save your file, go to Johnny, and open the file from there. It will load the contents into the main window.

johnny-mainscreen

Once the file is loaded, click on “Start Attack” to begin processing the hashes.

johnny-msfadmin-password

Success! It found the password for the “msfadmin” account.

VSFTP 2.3.4 – Manual Exploitation
Now we’ll perform this same exploit without using Metasploit. Remember, there could be times when you go on a pen-test, that you won’t have access to some of your favorite tools. Knowing how to perform some of these exploits manually can really come in handy.

When this exploit is executed, it opens port 6200 on the victim machine, which you can then connect to for shell access. Let’s see how this works…

1. On your Metasploitable machine, run netstat to verify that port 6200 is not listening

vsftp-metasploitable-netstat-verifyno6200

2. From your Kali machine, connect to the VSFTP service via the command line. When it prompts for the username, type in a random letter followed by : )

vsftp-ftpconnect

3. At this point, the cursor will continue to blink, and not go any farther. Now go to another terminal window, and use netcat to connect to port 6200. If everything works correctly, you should have shell access. Verify by running a couple of shell commands.

vsftp-netcat-shell

And there you have it!

Leave a Reply

Your email address will not be published. Required fields are marked *