diff --git a/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/files/proftpd-1.3.3c.tar.gz b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/files/proftpd-1.3.3c.tar.gz
new file mode 100644
index 000000000..78437717e
Binary files /dev/null and b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/files/proftpd-1.3.3c.tar.gz differ
diff --git a/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/files/proftpd.init.d b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/files/proftpd.init.d
new file mode 100644
index 000000000..43a96f92a
--- /dev/null
+++ b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/files/proftpd.init.d
@@ -0,0 +1,223 @@
+#!/bin/sh
+
+### BEGIN INIT INFO
+# Provides: proftpd
+# Required-Start: $remote_fs $syslog $local_fs $network
+# Required-Stop: $remote_fs $syslog $local_fs $network
+# Should-Start: $named
+# Should-Stop: $named
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Starts ProFTPD daemon
+# Description: This script runs the FTP service offered
+# by the ProFTPD daemon
+### END INIT INFO
+
+# Start the proftpd FTP daemon.
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+DAEMON=/usr/local/sbin/proftpd
+NAME=proftpd
+
+# Defaults
+RUN="no"
+OPTIONS=""
+CONFIG_FILE=/etc/proftpd/proftpd.conf
+
+PIDFILE=`grep -i 'pidfile' $CONFIG_FILE|sed -e 's/pidfile[\t ]\+//i'`
+if [ "x$PIDFILE" = "x" ];
+then
+ PIDFILE=/var/run/proftpd.pid
+fi
+
+# Read config (will override defaults)
+[ -r /etc/default/proftpd ] && . /etc/default/proftpd
+
+trap "" 1
+trap "" 15
+
+test -f $DAEMON || exit 0
+
+. /lib/lsb/init-functions
+
+#
+# Servertype could be inetd|standalone|none.
+# In all cases check against inetd and xinetd support.
+#
+if ! egrep -qi "^[[:space:]]*ServerType.*standalone" $CONFIG_FILE
+then
+ if egrep -qi "server[[:space:]]*=[[:space:]]*/usr/sbin/proftpd" /etc/xinetd.conf 2>/dev/null || \
+ egrep -qi "server[[:space:]]*=[[:space:]]*/usr/sbin/proftpd" /etc/xinetd.d/* 2>/dev/null || \
+ egrep -qi "^ftp.*/usr/sbin/proftpd" /etc/inetd.conf 2>/dev/null
+ then
+ RUN="no"
+ INETD="yes"
+ else
+ if ! egrep -qi "^[[:space:]]*ServerType.*inetd" $CONFIG_FILE
+ then
+ RUN="yes"
+ INETD="no"
+ else
+ RUN="no"
+ INETD="no"
+ fi
+ fi
+fi
+
+# /var/run could be on a tmpfs
+
+[ ! -d /var/run/proftpd ] && mkdir /var/run/proftpd
+
+inetd_check()
+{
+ if [ ! -x /usr/sbin/inetd -a ! -x /usr/sbin/xinetd ]; then
+ echo "Neither inetd nor xinetd appears installed: check your configuration."
+ fi
+}
+
+start()
+{
+ log_daemon_msg "Starting ftp server" "$NAME"
+
+ start-stop-daemon --start --quiet --pidfile "$PIDFILE" --oknodo --exec $DAEMON -- -c $CONFIG_FILE $OPTIONS
+ if [ $? != 0 ]; then
+ log_end_msg 1
+ exit 1
+ else
+ log_end_msg 0
+ fi
+}
+
+signal()
+{
+
+ if [ "$1" = "stop" ]; then
+ SIGNAL="TERM"
+ log_daemon_msg "Stopping ftp server" "$NAME"
+ else
+ if [ "$1" = "reload" ]; then
+ SIGNAL="HUP"
+ log_daemon_msg "Reloading ftp server" "$NAME"
+ else
+ echo "ERR: wrong parameter given to signal()"
+ exit 1
+ fi
+ fi
+ if [ -f "$PIDFILE" ]; then
+ start-stop-daemon --stop --signal $SIGNAL --quiet --pidfile "$PIDFILE"
+ if [ $? = 0 ]; then
+ log_end_msg 0
+ else
+ SIGNAL="KILL"
+ start-stop-daemon --stop --signal $SIGNAL --quiet --pidfile "$PIDFILE"
+ if [ $? != 0 ]; then
+ log_end_msg 1
+ [ $2 != 0 ] || exit 0
+ else
+ log_end_msg 0
+ fi
+ fi
+ if [ "$SIGNAL" = "KILL" ]; then
+ rm -f "$PIDFILE"
+ fi
+ else
+ log_end_msg 0
+ fi
+}
+
+case "$1" in
+ start)
+ if [ "x$RUN" = "xyes" ] ; then
+ start
+ else
+ start
+# if [ "x$INETD" = "xyes" ] ; then
+# echo "ProFTPD is started from inetd/xinetd."
+# inetd_check
+# else
+# echo "ProFTPD warning: cannot start neither in standalone nor in inetd/xinetd mode. Check your configuration."
+# fi
+ fi
+ ;;
+
+ force-start)
+ if [ "x$INETD" = "xyes" ] ; then
+ echo "Warning: ProFTPD is started from inetd/xinetd (trying to start anyway)."
+ inetd_check
+ fi
+ start
+ ;;
+
+ stop)
+ if [ "x$RUN" = "xyes" ] ; then
+ signal stop 0
+ else
+ if [ "x$INETD" = "xyes" ] ; then
+ echo "ProFTPD is started from inetd/xinetd."
+ inetd_check
+ else
+ echo "ProFTPD warning: cannot start neither in standalone nor in inetd/xinetd mode. Check your configuration."
+ fi
+ fi
+ ;;
+
+ force-stop)
+ if [ "x$INETD" = "xyes" ] ; then
+ echo "Warning: ProFTPD is started from inetd/xinetd (trying to kill anyway)."
+ inetd_check
+ fi
+ signal stop 0
+ ;;
+
+ reload)
+ signal reload 0
+ ;;
+
+ force-reload|restart)
+ if [ "x$RUN" = "xyes" ] ; then
+ signal stop 1
+ sleep 2
+ start
+ else
+ if [ "x$INETD" = "xyes" ] ; then
+ echo "ProFTPD is started from inetd/xinetd."
+ inetd_check
+ else
+ echo "ProFTPD warning: cannot start neither in standalone nor in inetd/xinetd mode. Check your configuration."
+ fi
+ fi
+ ;;
+
+ status)
+ if [ "x$INETD" = "xyes" ] ; then
+ echo "ProFTPD is started from inetd/xinetd."
+ inetd_check
+ exit 0
+ else
+ if [ -f "$PIDFILE" ]; then
+ pid=$(cat $PIDFILE)
+ else
+ pid="x"
+ fi
+ if [ `pidof proftpd|grep "$pid"|wc -l` -ne 0 ] ; then
+ echo "ProFTPD is started in standalone mode, currently running."
+ exit 0
+ else
+ echo "ProFTPD is started in standalone mode, currently not running."
+ exit 3
+ fi
+ fi
+ ;;
+
+ check-config)
+ $DAEMON -t >/dev/null && echo "ProFTPD configuration OK" && exit 0
+ exit 1
+ ;;
+
+ *)
+ echo "Usage: /etc/init.d/$NAME {start|status|force-start|stop|force-stop|reload|restart|force-reload|check-config}"
+ exit 1
+ ;;
+esac
+
+exit 0
diff --git a/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/manifests/config.pp b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/manifests/config.pp
new file mode 100644
index 000000000..3ec2a84a5
--- /dev/null
+++ b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/manifests/config.pp
@@ -0,0 +1,9 @@
+class proftpd_133c_backdoor::config {
+ file { '/etc/proftpd/proftpd.conf':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => template('proftpd_133c_backdoor/proftpd.erb')
+ }
+}
\ No newline at end of file
diff --git a/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/manifests/install.pp b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/manifests/install.pp
new file mode 100644
index 000000000..a8b3a21e1
--- /dev/null
+++ b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/manifests/install.pp
@@ -0,0 +1,68 @@
+class proftpd_133c_backdoor::install {
+
+ # Install ProFTPd 1.3.3c backdoored version from source tar
+
+ file { '/usr/local/src/proftpd-1.3.3c.tar.gz':
+ owner => root,
+ group => root,
+ mode => '0775',
+ ensure => file,
+ source => 'puppet:///modules/proftpd_133c_backdoor/proftpd-1.3.3c.tar.gz',
+ notify => Exec['unpack'],
+ }
+
+ exec { 'unpack':
+ cwd => '/usr/local/src',
+ command => 'tar -xzvf proftpd-1.3.3c.tar.gz',
+ creates => '/usr/local/src/backdoored_proftpd-1.3.3c/',
+ path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ],
+ notify => Exec['install_proftpd-1.3.3c'],
+ }
+
+ exec { 'install_proftpd-1.3.3c':
+ cwd => '/usr/local/src/backdoored_proftpd-1.3.3c/',
+ command => '/usr/local/src/backdoored_proftpd-1.3.3c/configure', #--prefix=/usr/local/
+ notify => Exec['make_proftpd-1.3.3c'],
+ }
+
+ exec { 'make_proftpd-1.3.3c':
+ require => Exec['install_proftpd-1.3.3c'],
+ cwd => '/usr/local/src/backdoored_proftpd-1.3.3c/',
+ command => '/usr/bin/make',
+ notify => Exec['make_install_proftpd-1.3.3c'],
+ }
+
+ exec { 'make_install_proftpd-1.3.3c':
+ require => Exec['install_proftpd-1.3.3c'],
+ cwd => '/usr/local/src/backdoored_proftpd-1.3.3c/',
+ command => '/usr/bin/make install',
+ notify => File['/etc/init.d/proftpd'],
+ }
+
+ # ProFTPd init.d service installation
+
+ file { '/etc/init.d/proftpd':
+ require => Exec['make_install_proftpd-1.3.3c'],
+ path => '/etc/init.d/proftpd',
+ owner => root,
+ group => root,
+ mode => '0755',
+ ensure => file,
+ source => 'puppet:///modules/proftpd_133c_backdoor/proftpd.init.d',
+ }
+
+ # Required log and config files/directories
+
+ file { ['/etc/proftpd', '/var/log/proftpd', '/var/log/proftpd/xferlog', '/etc/proftpd/conf.d/']:
+ ensure => directory,
+ }
+
+ file { [ '/etc/proftpd/modules.conf', '/var/log/proftpd/proftpd.log']:
+ ensure => file,
+ }
+
+ # Cleanup
+ exec { 'directory-cleanup':
+ command => '/bin/rm /usr/local/src/* -rf',
+ }
+}
\ No newline at end of file
diff --git a/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/manifests/service.pp b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/manifests/service.pp
new file mode 100644
index 000000000..cd653162b
--- /dev/null
+++ b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/manifests/service.pp
@@ -0,0 +1,7 @@
+class proftpd_133c_backdoor::service {
+ service { 'proftpd':
+ ensure => running,
+ enable => true,
+ require => File['/etc/init.d/proftpd','/etc/proftpd/proftpd.conf'],
+ }
+}
\ No newline at end of file
diff --git a/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/proftpd_133c_backdoor.pp b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/proftpd_133c_backdoor.pp
new file mode 100644
index 000000000..2b10c23e6
--- /dev/null
+++ b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/proftpd_133c_backdoor.pp
@@ -0,0 +1,3 @@
+include proftpd_133c_backdoor::install
+include proftpd_133c_backdoor::config
+include proftpd_133c_backdoor::service
\ No newline at end of file
diff --git a/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/secgen_metadata.xml b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/secgen_metadata.xml
new file mode 100644
index 000000000..d50945d18
--- /dev/null
+++ b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/secgen_metadata.xml
@@ -0,0 +1,40 @@
+
+
+
+ ProFTPD v1.3.3c Backdoor Command Execution
+ Thomas Shaw
+ Jason Keighley
+ MIT
+ A backdoor was introduced into the proftpd-1.3.3c.tar.[bz2|gz] archive between November 28th and December
+ 2nd 2010.
+
+
+ ftp
+ user
+ remote
+ linux
+
+
+ low
+
+ 10
+ AV:N/AC:L/Au:N/C:C/I:C/A:C
+ https://www.rapid7.com/db/modules/exploit/unix/ftp/proftpd_133c_backdoor
+ proftpd
+ GPL
+
+
+
+
+
+
+ A backdoor in a service
+ Remotely exploitable backdoor in the FTP service
+
+
+
+ proftpd
+
+
\ No newline at end of file
diff --git a/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/templates/proftpd.erb b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/templates/proftpd.erb
new file mode 100644
index 000000000..ffc87637c
--- /dev/null
+++ b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/templates/proftpd.erb
@@ -0,0 +1,189 @@
+#
+# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
+# To really apply changes, reload proftpd after modifications, if
+# it runs in daemon mode. It is not required in inetd/xinetd mode.
+#
+
+# Includes DSO modules
+Include /etc/proftpd/modules.conf
+
+# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
+UseIPv6 off
+# If set on you can experience a longer connection delay in many cases.
+IdentLookups off
+
+ServerName "Debian"
+ServerType standalone
+DeferWelcome off
+
+MultilineRFC2228 on
+DefaultServer on
+ShowSymlinks on
+
+TimeoutNoTransfer 600
+TimeoutStalled 600
+TimeoutIdle 1200
+
+DisplayLogin welcome.msg
+DisplayChdir .message true
+ListOptions "-l"
+
+DenyFilter \*.*/
+
+# Use this to jail all users in their homes
+# DefaultRoot ~
+
+# Users require a valid shell listed in /etc/shells to login.
+# Use this directive to release that constrain.
+# RequireValidShell off
+
+# Port 21 is the standard FTP port.
+Port 21
+
+# In some cases you have to specify passive ports range to by-pass
+# firewall limitations. Ephemeral ports can be used for that, but
+# feel free to use a more narrow range.
+# PassivePorts 49152 65534
+
+# If your host was NATted, this option is useful in order to
+# allow passive tranfers to work. You have to use your public
+# address and opening the passive ports used on your firewall as well.
+# MasqueradeAddress 1.2.3.4
+
+# This is useful for masquerading address with dynamic IPs:
+# refresh any configured MasqueradeAddress directives every 8 hours
+
+ # DynMasqRefresh 28800
+
+
+# To prevent DoS attacks, set the maximum number of child processes
+# to 30. If you need to allow more than 30 concurrent connections
+# at once, simply increase this value. Note that this ONLY works
+# in standalone mode, in inetd mode you should use an inetd server
+# that allows you to limit maximum number of processes per service
+# (such as xinetd)
+MaxInstances 30
+
+# Set the user and group that the server normally runs at.
+User root
+Group nogroup
+
+# Umask 022 is a good standard umask to prevent new files and dirs
+# (second parm) from being group and world writable.
+Umask 022 022
+# Normally, we want files to be overwriteable.
+AllowOverwrite on
+
+# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
+# PersistentPasswd off
+
+# This is required to use both PAM-based authentication and local passwords
+# AuthOrder mod_auth_pam.c* mod_auth_unix.c
+
+# Be warned: use of this directive impacts CPU average load!
+# Uncomment this if you like to see progress and transfer rate with ftpwho
+# in downloads. That is not needed for uploads rates.
+#
+# UseSendFile off
+
+TransferLog /var/log/proftpd/xferlog
+SystemLog /var/log/proftpd/proftpd.log
+
+# Logging onto /var/log/lastlog is enabled but set to off by default
+#UseLastlog on
+
+# In order to keep log file dates consistent after chroot, use timezone info
+# from /etc/localtime. If this is not set, and proftpd is configured to
+# chroot (e.g. DefaultRoot or Anonymous-->), it will use the non-daylight
+ # savings timezone regardless of whether DST is in effect.
+ #SetEnv TZ :/etc/localtime
+
+
+ QuotaEngine off
+
+
+
+ Ratios off
+
+
+
+ # Delay engine reduces impact of the so-called Timing Attack described in
+ # http://www.securityfocus.com/bid/11430/discuss
+ # It is on by default.
+
+ DelayEngine on
+
+
+
+ ControlsEngine off
+ ControlsMaxClients 2
+ ControlsLog /var/log/proftpd/controls.log
+ ControlsInterval 5
+ ControlsSocket /var/run/proftpd/proftpd.sock
+
+
+
+ AdminControlsEngine off
+
+
+ #
+ # Alternative authentication frameworks
+ #
+ #Include /etc/proftpd/ldap.conf
+ #Include /etc/proftpd/sql.conf
+
+ #
+ # This is used for FTPS connections
+ #
+ #Include /etc/proftpd/tls.conf
+
+ #
+ # Useful to keep VirtualHost/VirtualRoot directives separated
+ #
+ #Include /etc/proftpd/virtuals.conf
+
+ # A basic anonymous configuration, no upload directories.
+
+ #
+ # User ftp
+ # Group nogroup
+ # # We want clients to be able to login with "anonymous" as well as "ftp"
+ # UserAlias anonymous ftp
+ # # Cosmetic changes, all files belongs to ftp user
+ # DirFakeUser on ftp
+ # DirFakeGroup on ftp
+ #
+ # RequireValidShell off
+ #
+ # # Limit the maximum number of anonymous logins
+ # MaxClients 10
+ #
+ # # We want 'welcome.msg' displayed at login, and '.message' displayed
+ # # in each newly chdired directory.
+ # DisplayLogin welcome.msg
+ # DisplayChdir .message
+ #
+ # # Limit WRITE everywhere in the anonymous chroot
+ #
+ #
+ # DenyAll
+ #
+ #
+ #
+ # # Uncomment this if you're brave.
+ # #
+ # # # Umask 022 is a good standard umask to prevent new files and dirs
+ # # # (second parm) from being group and world writable.
+ # # Umask 022 022
+ # #
+ # # DenyAll
+ # #
+ # #
+ # # AllowAll
+ # #
+ # #
+ #
+ #
+
+ # Include other custom configuration files
+ Include /etc/proftpd/conf.d/
diff --git a/scenarios/simple_examples/proftpd_133c_backdoor_vulnerability.xml b/scenarios/simple_examples/proftpd_133c_backdoor_vulnerability.xml
new file mode 100644
index 000000000..57f85a72f
--- /dev/null
+++ b/scenarios/simple_examples/proftpd_133c_backdoor_vulnerability.xml
@@ -0,0 +1,17 @@
+
+
+
+
+
+
+ file_server
+
+
+
+
+
+
+
+
\ No newline at end of file