FTP2RCE

Transcript

1. Anton “Bo0oM” Lopanitsyn FTP2RCE

2. None
3. None

4. FTP - Active mode Command channel Data channel Port 21

   Client’s port Client’s port

5. PORT 95,213,200,115,31,144 31*256+144 95.213.200.115

6. None

7. 127.0.0.1:8080, OK What about redis?

8. https://medium.com/@knownsec404team/rce-exploits-of-redis-based-on-master-slave-replication-ef7a664ce1d0 https://2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf

9. FTP - Passive mode Command channel Data channel Port 21

   Random port Random port
10. None

11. A simple example of vulnerable code

12. 1. PHP establishes an FTP connection $contents = fi le_get_contents($f);

    2. FakeFTP gives a port with a payload for passive mode 3. Receiving a payload from socket and save to $contents 4. PHP comes to the FTP again. FakeFTP says ok, let's save your fi le using passive mode
 fi le_put_contents($f, $contents); 5. As a socket for passive mode puts the internal FastCGI port. The payload makes RCE

13. Into the Wild CVE-2021-3129 https://www.ambionics.io/blog/laravel-debug-rce

14. https://github.com/tarunkant/Gopherus https://github.com/dfyz/ctf-writeups/tree/master/hxp-2020/resonator

15. ? • https://twitter.com/i_bo0om • https://t.me/webpwn