auto_exploiter CVE-2011-2523

Name: auto_exploiter CVE-2011-2523
Rating: 5 (5 reviews)
2026-06-09 | CVSS 10.0
## https://sploitus.com/exploit?id=885D9854-A37F-5A73-9F90-EE3F205DE5B0
# Auto-Exploiter Framework

> **⚠️ LEGAL DISCLAIMER — Authorised Use Only**
> This tool is developed strictly for educational purposes and authorised
> penetration testing within isolated lab environments (e.g. Metasploitable 2).
> Using this framework against any system without explicit written permission
> from its owner is **illegal** and **unethical**. The author accepts no
> responsibility for misuse.

---

## Overview

**Auto-Exploiter** is a modular, plugin-driven Python security assessment
framework that automates the end-to-end workflow of:

1. **Reconnaissance** — Running an Nmap service-version scan against a target.
2. **Service Enumeration** — Parsing the XML output into a structured service
   inventory displayed in a rich terminal table.
3. **Automated Assessment** — Routing each discovered service through a
   dynamic plugin registry to find and execute any matching exploit or
   assessment module — with **zero hardcoding** in the orchestrator.

The framework is intentionally minimal in its dependencies and designed to be
extended: dropping a new Python file that subclasses `BasePlugin` into the
`core/` directory is sufficient to have it auto-loaded at the next run.

---

## Architecture

```
auto_exploiter/
├── main.py                  # Orchestrator — scan → match → run
└── core/
    ├── __init__.py
    ├── base_plugin.py       # Abstract BasePlugin interface
    ├── registry.py          # Dynamic plugin discovery & registry
    ├── scanner.py           # Nmap runner + XML parser (NmapScanner)
    └── exploiter.py         # vsftpd 2.3.4 exploit plugin (VsftpdExploit)
```

### Component Descriptions

| Component | Responsibility |
|---|---|
| `main.py` | CLI entry point. Instantiates `PluginRegistry` and `NmapScanner`, orchestrates the three phases (Recon → Match → Assess). |
| `BasePlugin` | Abstract base class defining the `matches(service_info)` and `run(target_ip, service_info)` contract every plugin must satisfy. |
| `PluginRegistry` | Walks `core/` at startup via `pkgutil.iter_modules`, imports every eligible module, and collects concrete `BasePlugin` subclasses. No manual registration required. |
| `NmapScanner` | Executes `nmap -sV -F -oX -` and parses the XML stream. Renders a rich progress spinner during the scan and a formatted services table on completion. |
| `VsftpdExploit` | Concrete `BasePlugin` targeting CVE-2011-2523. Triggers the vsftpd 2.3.4 backdoor over FTP, then attaches to the bind shell on port 6200. |

### Dynamic Plugin Registry — How It Works

```
main.py
  └─► PluginRegistry()
          └─► pkgutil.iter_modules(core/)
                  └─► importlib.import_module(core.)
                          └─► inspect.getmembers → subclasses of BasePlugin
                                  └─► [VsftpdExploit, MyNewPlugin, ...]
```

When `main.py` calls `registry.find_plugins(service_info)`, each registered
plugin's `matches()` method is evaluated against the service dictionary.
Matching plugins have their `run()` method called immediately — no `if/elif`
chains, no hardcoded module names.

---

## Lab Environment Setup (Metasploitable 2)

The recommended testing environment is **Metasploitable 2** — a deliberately
vulnerable Linux VM provided by Rapid7 for security training.

### Prerequisites

| Requirement | Version |
|---|---|
| Python | ≥ 3.10 |
| Nmap | ≥ 7.x (must be on `PATH`) |
| Virtualisation | VirtualBox or VMware |

### 1 — Download Metasploitable 2

Download the Metasploitable 2 OVA from the official Rapid7 repository and
import it into VirtualBox or VMware.

### 2 — Network Configuration

Set **both** your Kali/attacker VM and the Metasploitable 2 VM to use a
**Host-Only** (or **NAT Network**) adapter so they can communicate without
being exposed to the internet.

```
Attacker (Kali)  ←── Host-Only Adapter ──→  Metasploitable 2
192.168.56.100                               192.168.56.101
```

Verify connectivity:

```bash
ping 192.168.56.101
```

### 3 — Install Framework Dependencies

```bash
git clone https://github.com//auto_exploiter.git
cd auto_exploiter
python -m venv .venv
source .venv/bin/activate        # Windows: .venv\Scripts\activate
pip install -r requirements.txt
```

---

## Usage

### Basic Scan + Exploit

```bash
python main.py 192.168.56.101
```

**Example output:**

```
 ___         __           ___           __      _ __         
/   | __ __ / /____  ____/ __/_ _____ / /____ (_) /____ ____
...

[*] Discovering plugins …
[+] 1 plugin(s) loaded: vsftpd 2.3.4 Backdoor (CVE-2011-2523)

──────────────── Phase 1 — Reconnaissance ────────────────

  ⠋ Running Nmap scan on 192.168.56.101 ████████████ 0:00:07

╭─────────────────────────────────────────────────────╮
│      Discovered Services — 192.168.56.101           │
├──────┬──────────┬──────────┬────────────────────────┤
│ Port │ Protocol │ Service  │ Version                │
├──────┼──────────┼──────────┼────────────────────────┤
│   21 │ TCP      │ ftp      │ vsftpd 2.3.4           │
│   22 │ TCP      │ ssh      │ OpenSSH 4.7p1          │
│   80 │ TCP      │ http     │ Apache httpd 2.2.8     │
╰──────┴──────────┴──────────┴────────────────────────╯

──────────────── Phase 2 — Plugin Matching ────────────────
[+] Plugin vsftpd 2.3.4 Backdoor (CVE-2011-2523) matched ftp on port 21.

──── Phase 3 — Assessment · vsftpd 2.3.4 Backdoor ────
[*] Triggering vsftpd backdoor on 192.168.56.101:21 …
[*] Payload sent. Waiting 2.0s for bind shell on port 6200 …
╔══════════════════════════════════╗
║           Remote Shell           ║
║  Bind shell acquired!            ║
║  Type exit to terminate.         ║
╚══════════════════════════════════╝
id
uid=0(root) gid=0(root)
exit

[+] Session terminated cleanly.
──────────────── Assessment Complete ────────────────
```

### List Loaded Plugins

```bash
python main.py --list
```

### Custom Nmap Path

```bash
python main.py 192.168.56.101 --nmap /usr/local/bin/nmap
```

### CLI Reference

```
usage: auto_exploiter [-h] [--list] [--nmap PATH] [target]

positional arguments:
  target       Target IPv4/IPv6 address or hostname.

options:
  -h, --help   show this help message and exit
  --list       List all auto-discovered plugins and exit.
  --nmap PATH  Path to the nmap binary (default: nmap on PATH).
```

---

## Adding a New Plugin

1. Create a new file under `core/`, e.g. `core/my_plugin.py`.
2. Subclass `BasePlugin` and implement both abstract methods:

```python
# core/my_plugin.py
from core.base_plugin import BasePlugin
from typing import Dict

class MyPlugin(BasePlugin):
    PLUGIN_NAME = "My Custom Check"

    def matches(self, service_info: Dict) -> bool:
        return service_info.get("service") == "http"

    def run(self, target_ip: str, service_info: Dict) -> None:
        print(f"Running HTTP check against {target_ip}:{service_info['port']}")
```

3. Run `python main.py ` — `MyPlugin` is discovered and loaded
   automatically. No changes to `main.py` are needed.

---

## Error Handling

The framework is designed to be fault-tolerant:

| Failure Scenario | Behaviour |
|---|---|
| `nmap` not found on PATH | `RuntimeError` with clear install hint; process exits. |
| Nmap scan timeout | `RuntimeError` with timeout advice; process exits. |
| FTP connection refused | Logged as warning; exploit returns `False`; `RuntimeError` raised. |
| Socket timeout during trigger | Caught per-exception; descriptive console message. |
| Bind shell port closed | `RuntimeError` with diagnosis hint. |
| Broken plugin module | Import error logged to `stderr`; module skipped; other plugins still load. |
| `KeyboardInterrupt` during shell | Clean shutdown of socket and receiver thread. |

---

## Extending the Scanner

`NmapScanner` currently runs `nmap -sV -F` (fast, top 100 ports). To
scan all ports pass a custom command by subclassing or modifying `_run_nmap`:

```python
cmd = [self.nmap_path, "-sV", "-p-", "-oX", "-", target]  # all 65535 ports
```

---

## Security Considerations

- **Isolation** — Only run this framework inside a fully isolated lab network
  (Host-Only or air-gapped). Never attach the Metasploitable VM to the internet.
- **Root / sudo** — Some Nmap scan types (e.g. SYN scan with `-sS`) require
  elevated privileges. The default `-sV -F` scan works without root.
- **Rate limiting** — The framework does not implement scan throttling. On
  real networks, even authorised scans can trigger IDS/IPS alerts.

---

## License

This project is released under the **MIT License**. See `LICENSE` for details.

---

## References

- [CVE-2011-2523 — vsftpd 2.3.4 Backdoor](https://nvd.nist.gov/vuln/detail/CVE-2011-2523)
- [Rapid7 Metasploitable 2](https://docs.rapid7.com/metasploit/metasploitable-2/)
- [Nmap Reference Guide](https://nmap.org/book/man.html)
- [Rich — Beautiful terminal formatting for Python](https://github.com/Textualize/rich)