Upgrade to Pro — share decks privately, control downloads, hide ads and more …

FTP2RCE

F26c65b4ad90e281e3d866f466783201?s=47 Bo0oM
March 01, 2021

 FTP2RCE

F26c65b4ad90e281e3d866f466783201?s=128

Bo0oM

March 01, 2021
Tweet

Transcript

  1. Anton “Bo0oM” Lopanitsyn FTP2RCE

  2. None
  3. None
  4. FTP - Active mode Command channel Data channel Port 21

    Client’s port Client’s port
  5. PORT 95,213,200,115,31,144 31*256+144 95.213.200.115

  6. None
  7. 127.0.0.1:8080, OK What about redis?

  8. https://medium.com/@knownsec404team/rce-exploits-of-redis-based-on-master-slave-replication-ef7a664ce1d0 https://2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf

  9. FTP - Passive mode Command channel Data channel Port 21

    Random port Random port
  10. None
  11. A simple example of vulnerable code

  12. 1. PHP establishes an FTP connection $contents = fi le_get_contents($f);

    2. FakeFTP gives a port with a payload for passive mode 3. Receiving a payload from socket and save to $contents 4. PHP comes to the FTP again. FakeFTP says ok, let's save your fi le using passive mode
 fi le_put_contents($f, $contents); 5. As a socket for passive mode puts the internal FastCGI port. The payload makes RCE
  13. Into the Wild CVE-2021-3129 https://www.ambionics.io/blog/laravel-debug-rce

  14. https://github.com/tarunkant/Gopherus https://github.com/dfyz/ctf-writeups/tree/master/hxp-2020/resonator

  15. ? • https://twitter.com/i_bo0om • https://t.me/webpwn