Thursday, September 29, 2016

Pwning Metasploitable 2: Exploiting the Vulnerable vsFTPd 2.3.4 service (Manually)

I assume from the previous article that you did some research on the vulnerable FTP service (vsFTPd 2.3.4).

A quick intro to what is an exploit:

An exploit is a piece of code that takes advantage of a security gap in an application code. In the case of vsFTPd 2.3.4, an intruder modified the source code of the original vsFTPd 2.3.4 code to open a backdoored version if the username entered ended with “:)” characters. The backdoored version will open a listening connection on port 6200.

Lets check it out for ourselves.

Fire up your Kali and Metaploitable 2.

We will skip the host discovery part as we have covered it almost twice and want to avoid repetition. You can find it here.

Check the status of port 6200

Enter the command: nmap -p 6200 <<target IP address>>

This command with the “-p” flag tells nmap to scan port 6200 on the given target IP address.

The results show that the port is closed and there is no service running on it.

Activating the backdoored vsFTPd 2.3.4

Enter the command: telnet <<target IP address>> 21

Note that “21” in the above command references to the port number the FTP service is running on. After the command is executed, you are prompt to enter a username and password to access the system.

You can type anything as the username as long as it has the 2 characters “:)” at the end, and you will activate the backdoor.

Check the current status of port 6200

Let’s now check the current status of the port 6200 with command: nmap -p 6200 <<target IP address>>

Voila! The port is now open.

Telnet into port 6200

Enter command: telnet <<target IP address>> 6200
After command execution, type in “id” to see what user you are running as.

With root access you can do lots of havoc.

I will leave it up to you to research on telnet commands and how to use those commands. 

-Jayesh Kerai (@secjay)

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.