Script ftp-vsftpd-backdoor

Script types: portrule
Categories: exploit, intrusive, malware, vuln
Download: https://svn.nmap.org/nmap/scripts/ftp-vsftpd-backdoor.nse

Script Summary

Tests for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04 (CVE-2011-2523). This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with the exploit.cmd or ftp-vsftpd-backdoor.cmd script arguments.

References:

• http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
• https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb
• http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2011-2523

Script Arguments

ftp-vsftpd-backdoor.cmd

Command to execute in shell (default is id).

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

nmap --script ftp-vsftpd-backdoor -p 21 <host>

Script Output

PORT   STATE SERVICE
21/tcp open  ftp
| ftp-vsftpd-backdoor:
|   VULNERABLE:
|   vsFTPd version 2.3.4 backdoor
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2011-2523  BID:48539
|     Description:
|       vsFTPd version 2.3.4 backdoor, this was reported on 2011-07-04.
|     Disclosure date: 2011-07-03
|     Exploit results:
|       The backdoor was already triggered
|       Shell command: id
|       Results: uid=0(root) gid=0(root) groups=0(root)
|     References:
|       https://www.securityfocus.com/bid/48539
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523
|       http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
|_      https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb

Requires

• ftp
• nmap
• shortport
• stdnse
• string
• table
• vulns

---

Author:

• Daniel Miller

License: Same as Nmap--See https://nmap.org/book/man-legal.html