File ftp-vsftpd-backdoor
Script types:
portrule
Categories:
exploit, intrusive, malware, vuln
Download: http://nmap.org/svn/scripts/ftp-vsftpd-backdoor.nse
User Summary
Tests for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04
(CVE-2011-2523). This script attempts to exploit the backdoor using the
innocuous id command by default, but that can be changed with
the exploit.cmd or ftp-vsftpd-backdoor.cmd script
arguments.
References: * http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html * https://dev.metasploit.com/redmine/projects/framework/repository/revisions/13093 * http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2011-2523
Script Arguments
exploit.cmd
or ftp-vsftpd-backdoor.cmd Command to execute in shell
(default is id).
vulns.showall
See the documentation for the vulns library.Example Usage
nmap --script ftp-vsftpd-backdoor -p 21 <host>
Script Output
PORT STATE SERVICE 21/tcp open ftp | ftp-vsftpd-backdoor: | VULNERABLE: | vsFTPd version 2.3.4 backdoor | State: VULNERABLE (Exploitable) | IDs: CVE:CVE-2011-2523 OSVDB:73573 | Description: | vsFTPd version 2.3.4 backdoor, this was reported on 2011-07-04. | Disclosure date: 2011-07-03 | Exploit results: | The backdoor was already triggered | Shell command: id | Results: uid=0(root) gid=0(root) groups=0(root) | References: | http://osvdb.org/73573 | http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523 | http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html |_ https://dev.metasploit.com/redmine/projects/framework/repository/revisions/13093
Requires
Author: Daniel Miller
License: Same as Nmap--See http://nmap.org/book/man-legal.html