$30 off During Our Annual Pro Sale. View Details »

FTP2RCE

Bo0oM
March 01, 2021

 FTP2RCE

Bo0oM

March 01, 2021
Tweet

More Decks by Bo0oM

Other Decks in Programming

Transcript

  1. Anton “Bo0oM” Lopanitsyn
    FTP2RCE

    View Slide

  2. View Slide

  3. View Slide

  4. FTP - Active mode
    Command channel
    Data channel
    Port 21
    Client’s port
    Client’s port

    View Slide

  5. PORT 95,213,200,115,31,144
    31*256+144
    95.213.200.115

    View Slide

  6. View Slide

  7. 127.0.0.1:8080, OK

    What about redis?

    View Slide

  8. https://medium.com/@knownsec404team/rce-exploits-of-redis-based-on-master-slave-replication-ef7a664ce1d0

    https://2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf

    View Slide

  9. FTP - Passive mode
    Command channel
    Data channel
    Port 21
    Random port
    Random port

    View Slide

  10. View Slide

  11. A simple example of vulnerable code

    View Slide

  12. 1. PHP establishes an FTP connection

    $contents =
    fi
    le_get_contents($f);

    2. FakeFTP gives a port with a payload for passive
    mode

    3. Receiving a payload from socket and save to
    $contents

    4. PHP comes to the FTP again. FakeFTP says ok, let's
    save your
    fi
    le using passive mode

    fi
    le_put_contents($f, $contents);

    5. As a socket for passive mode puts the internal
    FastCGI port. The payload makes RCE

    View Slide

  13. Into the Wild
    CVE-2021-3129
    https://www.ambionics.io/blog/laravel-debug-rce

    View Slide

  14. https://github.com/tarunkant/Gopherus
    https://github.com/dfyz/ctf-writeups/tree/master/hxp-2020/resonator

    View Slide

  15. ?
    • https://twitter.com/i_bo0om

    • https://t.me/webpwn

    View Slide