Name | proftpd_mod_copy |
CVE | CVE-2015-3306 |
Exploit Pack | CANVAS |
Description | ProFTPd 1.3.5 Remote File Copy |
Notes | CVE Name: CVE-2015-3306 VENDOR: NOTES: This exploit abuses the commands of the mod_copy module in ProFTPd (version<=1.3.5). The SITE CPFR/CPTO commands can be used by unauthenticated clients to copy files from any part of the filesistem to a chosen destination. With these commands the mod_copy module allows remote attackers to read and write local files. In the first part of the attack, the exploit copy the /proc/self/cmdline to /tmp/ folder with a PHP payload as the filename, then copy this file to the webroot as a PHP file. The second part of the attack involves making a GET request to the PHP file just created with the PHP shellcode as a parameter. The payload created in the first part will execute the PHP shellcode Note about the target: To exploit this vulnerability, the mod_copy module must be compiled with the ProFTPd's sources.Also we need write privs on the webroot folder we choose (unless the ftp server was started has root). Then we must assume that the webserver has a PHP module. This exploit has been tested on: * Ubuntu 13.04 - Linux 3.8.0-19-generic x64. (Successful exploitation) Command line usage: $ ./commandlineInterface.py -l 172.16.135.238 -p5556 -v 7 $ python ./exploits/remote/unix/proftpd_mod_copy/proftpd_mod_copy.py -t 172.16.135.238 -l 172.16.135.1 -d 5556 Repeatability: Infinite References: http://bugs.proftpd.org/show_bug.cgi?id=4169 CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3306 CERT Advisory: None Date Public: 05/18/2015 CVSS: 10 |
Learn more about the CANVAS Exploit Pack here: CANVAS |