Version 2.0.8 is frequently referenced in VulnHub CTF writeups as a service running on target machines like "Stapler," where the goal is usually to find misconfigurations rather than a direct code-execution exploit in that specific version. PwnHouse/OSVDB-73573/README.md at master - GitHub
While there is no widely documented "vsftpd 2.0.8" backdoor exploit, your search likely refers to the famous . This specific version was compromised at the source level in 2011, making it one of the most well-known exploits in cybersecurity history. The Infamous vsftpd 2.3.4 Backdoor vsftpd 208 exploit github link
The backdoor was introduced by the original vsftpd author, Chris Evans. Instead, malicious actors compromised the download tarball of vsftpd 2.0.8 on some mirror sites. The compromised source code contained a backdoor that allowed remote attackers to open a root shell on port 6200 when a specific username ( :) — yes, a smiley face — was used during FTP authentication. Version 2
The exploit is famously simple. If a user tries to log in with a username that ends in a smiley face— :) —it triggers a hidden function called vsf_sysutil_extra() . RominaSR/pentesting-metasploit-vsFTPd - GitHub The Infamous vsftpd 2
For a broader list of vulnerabilities across different versions (such as the 3.0.2 deny_file bypass), check the GitHub Advisory Database. Summary of Version 2.0.8
In July 2011, an unknown attacker compromised the master download server for vsftpd and replaced the legitimate source code for version 2.3.4 with a backdoored version. The developer, Chris Evans, had famously designed vsftpd (which stands for "Very Secure FTP Daemon") to be impenetrable, making the irony of a supply chain hack particularly sharp. How the Backdoor Works (The "Smiley Face" Exploit)