Tweet
Tweet

Slide 1

Slide 1 text

Anton “Bo0oM” Lopanitsyn FTP2RCE

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

FTP - Active mode Command channel Data channel Port 21 Client’s port Client’s port

Slide 5

Slide 5 text

PORT 95,213,200,115,31,144 31*256+144 95.213.200.115

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

127.0.0.1:8080, OK What about redis?

Slide 8

Slide 8 text

https://medium.com/@knownsec404team/rce-exploits-of-redis-based-on-master-slave-replication-ef7a664ce1d0 https://2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf

Slide 9

Slide 9 text

FTP - Passive mode Command channel Data channel Port 21 Random port Random port

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

A simple example of vulnerable code

Slide 12

Slide 12 text

1. PHP establishes an FTP connection $contents = fi le_get_contents($f); 2. FakeFTP gives a port with a payload for passive mode 3. Receiving a payload from socket and save to $contents 4. PHP comes to the FTP again. FakeFTP says ok, let's save your fi le using passive mode
 fi le_put_contents($f, $contents); 5. As a socket for passive mode puts the internal FastCGI port. The payload makes RCE

Slide 13

Slide 13 text

Into the Wild CVE-2021-3129 https://www.ambionics.io/blog/laravel-debug-rce

Slide 14

Slide 14 text

https://github.com/tarunkant/Gopherus https://github.com/dfyz/ctf-writeups/tree/master/hxp-2020/resonator

Slide 15

Slide 15 text

? • https://twitter.com/i_bo0om • https://t.me/webpwn