## https://sploitus.com/exploit?id=0CC261B6-9B5B-5867-A6D9-7DADD3BDE9C7
# Detection Engineering & Vulnerability Research - CVE-2011-2523 (vsftpd 2.3.4)
**A CVE to Detection Signature Engineering Project: researching a disclosed vulnerability, building a fingerprint that identifies it externally, and validating detection quality against real lab targets.**














---
## Why This Project Exists
Most vulnerability-research portfolios stop at "I exploited X." This one is built around a different question, closer to what detection engineering actually asks:
> **Once a CVE is disclosed, how do you reliably identify โ externally, at scale, without exploiting anything โ which internet-facing assets are actually running the vulnerable technology?**
This repo documents that full workflow for one real CVE: **CVE-2011-2523**, the vsftpd 2.3.4 backdoor. It goes from vulnerability research through fingerprint design, detection script engineering, and validation against live lab targets โ deliberately built as *detection*, not exploitation.
---
## How This Maps to Detection Engineering / Vulnerability Research Work
| Core Function | Where It Lives in This Repo |
|---|---|
| Research newly disclosed CVEs & advisories | `docs/CVE-RESEARCH.md` โ CVE-2011-2523 background, affected versions, disclosure timeline |
| Design technology fingerprints & detection signatures | `fingerprint_vsftpd_cve_2011_2523.py` โ banner-based version-match signature |
| Build scalable detection logic | Batch mode (`--targets-file`) for fingerprinting multiple hosts in one run |
| Validate detections using real-world assets | Run and validated against live lab targets (Metasploitable2 + closed-port control) |
| Reduce false positives / false negatives | Three-state verdict logic (`vulnerable` / `not_vulnerable` / `undetermined`) instead of a boolean โ a closed/filtered port is never silently folded into "not vulnerable" |
| Python scripting for research & validation | Entire detection script + JSON evidence output, no manual steps |
| HTTP/HTTPS, networking fundamentals | Raw TCP/socket-level service interaction, banner parsing |
| Internet-facing infrastructure focus | Designed for external, unauthenticated fingerprinting โ no credentials, no exploitation, no service disruption |
---
## Methodology
```
CVE Disclosure โ Research & Version Analysis โ Fingerprint Design
โ Detection Script โ Validation (TP/FP/FN review) โ Evidence Output
```
1. **Research** โ Identified CVE-2011-2523 (vsftpd 2.3.4 backdoor): a trojaned build of vsftpd distributed for a ~72-hour window in 2011, triggered by a specific login pattern, granting a remote shell.
2. **Fingerprint design** โ vsftpd announces its exact version in the FTP `220` welcome banner. That banner is the fingerprint surface โ no authentication, no exploitation required to read it.
3. **Detection script** โ `fingerprint_vsftpd_cve_2011_2523.py` connects, captures the banner, regex-matches it against the known vulnerable signature, and classifies the result.
4. **Validation** โ Run against a known-vulnerable Metasploitable2 target (confirms true positive) and a closed/filtered port (confirms the script correctly reports `undetermined` rather than a false negative).
5. **Evidence output** โ Structured JSON per finding (host, port, banner, verdict, reason, CVE reference, timestamp) โ designed to slot into a larger findings pipeline rather than a one-off printout.
---
## Screenshots โ Script & Validation Run
> Rename your screenshot files to match, or update these paths, once uploaded to `/screenshots`.
| Fingerprint Script | Validation Output |
|---|---|
|  |  |
Additional run detail:




---
## Usage
```bash
# Single target
python3 fingerprint_vsftpd_cve_2011_2523.py --target 192.168.56.101
# Batch โ multiple hosts, evidence-style JSON output
python3 fingerprint_vsftpd_cve_2011_2523.py --targets-file targets.json \
--output evidence/vsftpd_fingerprint_findings.json
```
**Sample output:**
```json
{
"scan_type": "vsftpd_2.3.4_backdoor_fingerprint",
"cve": "CVE-2011-2523",
"total_targets": 1,
"vulnerable_count": 1,
"findings": [
{
"host": "192.168.56.101",
"port": 21,
"banner": "220 (vsFTPd 2.3.4)",
"verdict": "vulnerable",
"reason": "Banner matches known vulnerable signature (vsftpd 2.3.4)"
}
]
}
```
---
## Validation Summary
| Test Case | Target Type | Expected Verdict | Result |
|---|---|---|---|
| Known-vulnerable host | Metasploitable2 (vsftpd 2.3.4) | `vulnerable` | Confirmed |
| Closed/filtered port | Non-listening port | `undetermined` (not a silent false negative) | Confirmed |
| Non-vsftpd service | Other FTP banner | `not_applicable` | Confirmed |
This three-way split is the core detection-quality control in the project: a naive detector collapses "couldn't check" and "checked and clean" into the same result, which is exactly how false negatives hide in production detection logic.
---
## Repository Structure
```
.
โโโ fingerprint_vsftpd_cve_2011_2523.py
โโโ docs/
โ โโโ CVE-RESEARCH.md
โโโ evidence/
โ โโโ vsftpd_fingerprint_findings.json
โโโ screenshots/
โ โโโ (script + validation run screenshots)
โโโ README.md
```
---
## Roadmap
- [ ] Add fingerprint modules for additional disclosed CVEs (expanding beyond vsftpd)
- [ ] Add Nmap NSE-assisted enumeration as a pre-fingerprint discovery step
- [ ] Add HTTP/TLS-based fingerprinting module (web-technology identification, not just banner services)
- [ ] Add automated false-positive/false-negative regression tests
---
# Repository Visitors

---
# Author
## BASSEY SOLOMON HENRY
**Cybersecurity Engineer | Detection Engineer | Vulnerability Researcher | Purple Team | SIEM | Enterprise Security**
Focused on the research-to-detection pipeline: taking a disclosed CVE from advisory to a working, validated fingerprint capable of identifying vulnerable technology externally and at scale โ built on hands-on offensive and defensive lab work rather than theory alone.
---
# Connect With Me
**LinkedIn**
https://www.linkedin.com/in/bassey-solomon-henry/
**GitHub**
https://github.com/solomonhenry-afk/Bassey-Solomon-Henry
**Email**
[solomon_henry111@outlook.com](mailto:solomon_henry111@outlook.com)
---
# Personal Philosophy
> **"A vulnerability isn't real risk until you can prove, at scale, which systems actually have it. Research tells you what's possible โ detection engineering tells you what's true."**
### โ Bassey Solomon Henry
---
**If this project is useful, consider starring the repository.**