Vulnerability analysis of VSFTPD 2.3.4 backdoor
After modeling threats, let us load the matching module into Metasploit using the use exploit/unix/ftp/vsftpd_234_backdoor command and analyze the vulnerability details using info command as follows:
We can see that the vulnerability was allegedly added to the vsftpd archive between the dates mentioned in the description of the module.
The attack procedure
The concept of the attack on VSFTPD 2.3.4 is to trigger the malicious vsf_sysutil_extra(); function by sending a sequence of specific bytes on port 21, which, on successful execution, results in opening the backdoor on port 6200 of the system.
The procedure of exploiting the vulnerability
The following screenshot of the vulnerable source code will make things much clearer:
We can clearly see that if the bytes in the network buffer match the backdoor sequence of 0x3a (colon) and 0x29, the malicious function is triggered. Furthermore, is we explore the details of the malicious function, we can see...
