WIP CraftCMS FTP Template exploit

[jheysel-r7]

Drafting this for now as I couldn't get it working but wanted to post what I had so far.

Using the FTPServer mixin I was trying to recreate the same functionality that the pyftpdlib FTP server provides in the PoC when hosting the payload for the vulnerable application to download and then run.

When the PoC triggers the vulnerability and the application reaches out to the FTP Server, four anonymous authentication sessions are established and in the fourth one the EPSV and RETR commands are issued by the client and the file transfer is initiated and the file gets downloaded successfully.

PoC FTP Logs

-> 220 pyftpdlib 2.0.1 ready.
<- USER anonymous
-> 331 Username ok, send password.
<- PASS ******
-> 230 Login successful.
<- CWD /default
-> 250 "/default" is the current directory.
<- TYPE I
-> 200 Type set to: Binary.
<- SIZE /default
-> 550 /default is not retrievable.
<- MDTM /default
-> 550 /default is not retrievable


-> 220 pyftpdlib 2.0.1 ready.
<- USER anonymous
-> 331 Username ok, send password.
<- PASS ******
-> 230 Login successful.
<- CWD /default/index.twig
-> 550 Not a directory.
<- TYPE I
-> 200 Type set to: Binary.
<- SIZE /default/index.twig
-> 213 99
<- MDTM /default/index.twig
-> 213 20241228032605


-> 220 pyftpdlib 2.0.1 ready.
<- USER anonymous
-> 331 Username ok, send password.
<- PASS ******
-> 230 Login successful.
<- CWD /default/index.twig
-> 550 Not a directory.
<- TYPE I
-> 200 Type set to: Binary.
<- SIZE /default/index.twig
-> 213 99
<- MDTM /default/index.twig
-> 213 20241228032605


-> 220 pyftpdlib 2.0.1 ready.
<- USER anonymous
-> 331 Username ok, send password.
<- PASS ******
-> 230 Login successful.
<- TYPE I
-> 200 Type set to: Binary.
<- SIZE /default/index.twig
-> 213 99
<- EPSV
-> 229 Entering extended passive mode (|||52721|).
<- RETR /default/index.twig
-> 150 File status okay. About to open data connection.
-> 226 Transfer complete.
<- QUIT
-> 221 Goodbye.

When the metasploit module triggers the vulnerability and the application reaches out to the metasploit FTP Server, only three anonymous authentication sessions are established. They seem to be almost identical to the first three that occur when testing the PoC however the fourth one where the file transfer occurs doesn't seem to be initiated by the client, so there's no file transfer and thus no RCE atm.

Module attempt FTP Logs

 -> 220 FTP Server Ready
 <- USER anonymous
 -> 331 Username ok, send password.
 <- PASS anonymous
 -> 230 Login successful.
 <- CWD /default
 -> 250 "/default" is current directory.
 <- TYPE I
 -> 200 Type set to: Binary.
 <- SIZE /default
 -> 550 /default is not retrievable.
 <- MDTM /default
 -> 550 /default is not retrievable.
 


 -> 220 FTP Server Ready
 <- USER anonymous
 -> 331 Username ok, send password.
 <- PASS anonymous
 -> 230 Login successful.
 <- CWD /default/index.twig
 -> 550 Not a directory
 <- TYPE I
 -> 200 Type set to: Binary.
 <- SIZE /default/index.twig
 -> 213 99
 <- MDTM /default/index.twig
 -> 213 20241228152730
 

 
 -> 220 FTP Server Ready
 <- USER anonymous
 -> 331 Username ok, send password.
 <- PASS anonymous
 -> 230 Login successful.
 <- CWD /default/index.twig
 -> 550 Not a directory
 <- TYPE I
 -> 200 Type set to: Binary.
 <- SIZE /default/index.twig
 -> 213 99
 <- MDTM /default/index.twig
 -> 213 20241228152730

Obviously I'm missing something. When I return I'll enable some more logging on the target and dig deeper into the pcaps I have but thought I would post incase any team member or contributor had any comments or concerns.