Share
## https://sploitus.com/exploit?id=0CC261B6-9B5B-5867-A6D9-7DADD3BDE9C7
# Detection Engineering & Vulnerability Research - CVE-2011-2523 (vsftpd 2.3.4)

**A CVE to Detection Signature Engineering Project: researching a disclosed vulnerability, building a fingerprint that identifies it externally, and validating detection quality against real lab targets.**



![Python](https://img.shields.io/badge/Python-3776AB?style=for-the-badge&logo=python&logoColor=white)
![HTTP](https://img.shields.io/badge/HTTP-005571?style=for-the-badge&logo=w3c&logoColor=white)
![DNS](https://img.shields.io/badge/DNS-4A90D9?style=for-the-badge&logo=internetarchive&logoColor=white)
![TLS/SSL](https://img.shields.io/badge/TLS%2FSSL-000000?style=for-the-badge&logo=letsencrypt&logoColor=white)
![Networking](https://img.shields.io/badge/Networking-0052CC?style=for-the-badge&logo=cisco&logoColor=white)
![CVEs](https://img.shields.io/badge/CVEs-CC0000?style=for-the-badge&logo=cve&logoColor=white)
![OWASP](https://img.shields.io/badge/OWASP-000000?style=for-the-badge&logo=owasp&logoColor=white)
![Nmap](https://img.shields.io/badge/Nmap-4682B4?style=for-the-badge&logo=nmap&logoColor=white)
![Web Servers](https://img.shields.io/badge/Web%20Servers-orange?style=for-the-badge&logo=nginx&logoColor=white)
![APIs](https://img.shields.io/badge/APIs-6DB33F?style=for-the-badge&logo=fastapi&logoColor=white)
![Linux](https://img.shields.io/badge/Linux-FCC624?style=for-the-badge&logo=linux&logoColor=black)
![Vulnerability Scanning](https://img.shields.io/badge/Vulnerability%20Scanning-B22222?style=for-the-badge&logo=shieldsdotio&logoColor=white)
![Detection Signatures](https://img.shields.io/badge/Detection%20Signatures-8A2BE2?style=for-the-badge&logo=protonvpn&logoColor=white)
![Fingerprinting](https://img.shields.io/badge/Fingerprinting-2E8B57?style=for-the-badge&logo=fingerprint&logoColor=white)



---

##  Why This Project Exists

Most vulnerability-research portfolios stop at "I exploited X." This one is built around a different question, closer to what detection engineering actually asks:

> **Once a CVE is disclosed, how do you reliably identify โ€” externally, at scale, without exploiting anything โ€” which internet-facing assets are actually running the vulnerable technology?**

This repo documents that full workflow for one real CVE: **CVE-2011-2523**, the vsftpd 2.3.4 backdoor. It goes from vulnerability research through fingerprint design, detection script engineering, and validation against live lab targets โ€” deliberately built as *detection*, not exploitation.

---

##  How This Maps to Detection Engineering / Vulnerability Research Work

| Core Function | Where It Lives in This Repo |
|---|---|
| Research newly disclosed CVEs & advisories | `docs/CVE-RESEARCH.md` โ€” CVE-2011-2523 background, affected versions, disclosure timeline |
| Design technology fingerprints & detection signatures | `fingerprint_vsftpd_cve_2011_2523.py` โ€” banner-based version-match signature |
| Build scalable detection logic | Batch mode (`--targets-file`) for fingerprinting multiple hosts in one run |
| Validate detections using real-world assets | Run and validated against live lab targets (Metasploitable2 + closed-port control) |
| Reduce false positives / false negatives | Three-state verdict logic (`vulnerable` / `not_vulnerable` / `undetermined`) instead of a boolean โ€” a closed/filtered port is never silently folded into "not vulnerable" |
| Python scripting for research & validation | Entire detection script + JSON evidence output, no manual steps |
| HTTP/HTTPS, networking fundamentals | Raw TCP/socket-level service interaction, banner parsing |
| Internet-facing infrastructure focus | Designed for external, unauthenticated fingerprinting โ€” no credentials, no exploitation, no service disruption |

---

##  Methodology

```
CVE Disclosure  โ†’  Research & Version Analysis  โ†’  Fingerprint Design
      โ†’  Detection Script  โ†’  Validation (TP/FP/FN review)  โ†’  Evidence Output
```

1. **Research** โ€” Identified CVE-2011-2523 (vsftpd 2.3.4 backdoor): a trojaned build of vsftpd distributed for a ~72-hour window in 2011, triggered by a specific login pattern, granting a remote shell.
2. **Fingerprint design** โ€” vsftpd announces its exact version in the FTP `220` welcome banner. That banner is the fingerprint surface โ€” no authentication, no exploitation required to read it.
3. **Detection script** โ€” `fingerprint_vsftpd_cve_2011_2523.py` connects, captures the banner, regex-matches it against the known vulnerable signature, and classifies the result.
4. **Validation** โ€” Run against a known-vulnerable Metasploitable2 target (confirms true positive) and a closed/filtered port (confirms the script correctly reports `undetermined` rather than a false negative).
5. **Evidence output** โ€” Structured JSON per finding (host, port, banner, verdict, reason, CVE reference, timestamp) โ€” designed to slot into a larger findings pipeline rather than a one-off printout.

---

##  Screenshots โ€” Script & Validation Run

> Rename your screenshot files to match, or update these paths, once uploaded to `/screenshots`.

| Fingerprint Script | Validation Output |
|---|---|
| ![Script](screenshots/fingerprint_vsftpd_cve_2011_2523_py.png) | ![Output](screenshots/validation-output-1.png) |

Additional run detail:

![Detail](screenshots/validation-output-2.png)
![Detail](screenshots/validation-output-3.png)
![Detail](screenshots/validation-output-4.png)
![Detail](screenshots/validation-output-5.png)

---

##  Usage

```bash
# Single target
python3 fingerprint_vsftpd_cve_2011_2523.py --target 192.168.56.101

# Batch โ€” multiple hosts, evidence-style JSON output
python3 fingerprint_vsftpd_cve_2011_2523.py --targets-file targets.json \
    --output evidence/vsftpd_fingerprint_findings.json
```

**Sample output:**

```json
{
  "scan_type": "vsftpd_2.3.4_backdoor_fingerprint",
  "cve": "CVE-2011-2523",
  "total_targets": 1,
  "vulnerable_count": 1,
  "findings": [
    {
      "host": "192.168.56.101",
      "port": 21,
      "banner": "220 (vsFTPd 2.3.4)",
      "verdict": "vulnerable",
      "reason": "Banner matches known vulnerable signature (vsftpd 2.3.4)"
    }
  ]
}
```

---

##  Validation Summary

| Test Case | Target Type | Expected Verdict | Result |
|---|---|---|---|
| Known-vulnerable host | Metasploitable2 (vsftpd 2.3.4) | `vulnerable` | Confirmed |
| Closed/filtered port | Non-listening port | `undetermined` (not a silent false negative) | Confirmed |
| Non-vsftpd service | Other FTP banner | `not_applicable` | Confirmed |

This three-way split is the core detection-quality control in the project: a naive detector collapses "couldn't check" and "checked and clean" into the same result, which is exactly how false negatives hide in production detection logic.

---

##  Repository Structure

```
.
โ”œโ”€โ”€ fingerprint_vsftpd_cve_2011_2523.py
โ”œโ”€โ”€ docs/
โ”‚   โ””โ”€โ”€ CVE-RESEARCH.md
โ”œโ”€โ”€ evidence/
โ”‚   โ””โ”€โ”€ vsftpd_fingerprint_findings.json
โ”œโ”€โ”€ screenshots/
โ”‚   โ””โ”€โ”€ (script + validation run screenshots)
โ””โ”€โ”€ README.md
```

---

##  Roadmap

- [ ] Add fingerprint modules for additional disclosed CVEs (expanding beyond vsftpd)
- [ ] Add Nmap NSE-assisted enumeration as a pre-fingerprint discovery step
- [ ] Add HTTP/TLS-based fingerprinting module (web-technology identification, not just banner services)
- [ ] Add automated false-positive/false-negative regression tests

---

#  Repository Visitors



![](https://komarev.com/ghpvc/?username=solomonhenry-afk&style=for-the-badge&color=brightgreen)



---

#  Author

## BASSEY SOLOMON HENRY

**Cybersecurity Engineer | Detection Engineer | Vulnerability Researcher | Purple Team | SIEM | Enterprise Security**

Focused on the research-to-detection pipeline: taking a disclosed CVE from advisory to a working, validated fingerprint capable of identifying vulnerable technology externally and at scale โ€” built on hands-on offensive and defensive lab work rather than theory alone.

---

#  Connect With Me



 **LinkedIn**

https://www.linkedin.com/in/bassey-solomon-henry/

 **GitHub**

https://github.com/solomonhenry-afk/Bassey-Solomon-Henry

 **Email**

[solomon_henry111@outlook.com](mailto:solomon_henry111@outlook.com)



---

#  Personal Philosophy

> **"A vulnerability isn't real risk until you can prove, at scale, which systems actually have it. Research tells you what's possible โ€” detection engineering tells you what's true."**

### โ€” Bassey Solomon Henry

---



 **If this project is useful, consider starring the repository.**