Elliott Kolden
667f042707
Root causes and fixes documented in TIER3-BRINGUP.md. Summary:
1. BRIDGE env var leaked into Tier-3 subprocess → target VM used tap
instead of SLIRP; fix: env.pop("BRIDGE") in fleet _run_slot.
2. usable_modules filter conditioned on BRIDGE presence → bridge-requiring
modules selected on SLIRP runs; fix: always filter requires_bridge.
3. cmd/unix/interact creates no session.list entry → session_open_timeout
every episode; fix: switch samba_usermap_script to cmd/unix/bind_perl.
4. Per-slot LPORT hostfwd used wrong guest port (host:5444→guest:4444);
fix: extra_host_port:extra_host_port mapping so guest binds the
per-slot LPORT directly.
5. vsftpd backdoor port 6200 hardcoded → collision across concurrent slots;
fix: requires_bridge=true filters it from SLIRP fleet runs.
6. SLIRP false-positive in _wait_for_tcp → exploit fires before Samba
boots (~60 s too early); fix: replace TCP probe with serial console
_wait_for_serial_login that waits for actual "login:" prompt.
7. Stale QEMU survives orchestrator restart (start_new_session=True) →
holds hostfwd ports, new QEMU silently fails; fix: kill by pgid from
old pidfile before rmtree.
8. PORT_BASE default used privileged port 21; fix: default to 2021+slot*100.
9. msfrpcd 6.x returns bytes for all string values even with raw=False;
fix: MSFRpcClient._str() recursive decoder applied to all responses.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
31 lines
973 B
TOML
31 lines
973 B
TOML
description = """
|
|
vsftpd 2.3.4 intentional backdoor (CVE-2011-2523). Triggered by an FTP
|
|
USER name ending with ':)'. Standard Metasploitable2 exploit, fully
|
|
deterministic — perfect for a Tier-3 first-light run.
|
|
|
|
NOTE: The backdoor binds a shell on port 6200 (hardcoded in both the
|
|
vulnerable vsftpd binary AND the Metasploit module — not overridable).
|
|
msfrpcd connects to RHOSTS:6200 after triggering the backdoor. With
|
|
SLIRP+restrict=on and multiple concurrent slots, port 6200 can only be
|
|
hostfwd'd once, causing collisions. Requires BRIDGE so the exploit
|
|
handler can reach guest:6200 directly via the bridge IP.
|
|
"""
|
|
|
|
[module]
|
|
type = "exploit"
|
|
path = "unix/ftp/vsftpd_234_backdoor"
|
|
|
|
[module.options]
|
|
RHOSTS = "{{ target_ip }}"
|
|
RPORT = 21
|
|
|
|
[payload]
|
|
path = "cmd/unix/interact"
|
|
|
|
[session]
|
|
type = "shell"
|
|
|
|
[runtime]
|
|
# Port 6200 (backdoor bind) is hardcoded; can't offset per-slot.
|
|
# Requires bridge so all concurrent slots get distinct guest IPs.
|
|
requires_bridge = true
|