The repo contains a dockerfile , to spin up a container for tersting and working on the CVE-2024-48208
- Reproduce CVE : done
- Understand what are we reading from the OOB read: Done(Reading the reply buf)
- Understand how can the user modify the buffer: Done (The replybuffer contans the reply from the last request)
- Make a directory with CRLF chars: Done (Python script)
- Check if the chdir() is successful: Done
- Setup EPSV mode , and response to check the response: Done (the dirname changes with every exploit rn)
- Chevck if we can replicate this for restricted directories: (Done with a directory owned by ftpuser2)
- Present as pivot from the original CVE OOB read to Jail escape/Broken access control: (Done)
- Exploit automation (Done)
sudo docker build -t pure-ftpd-vuln .
sudo docker run -d -p 21:21 -it --name pure-ftpd-vuln pure-ftpd-vuln
Open the terminal , and type ftp <Docker-Interface-IP>
Type the following username and password: ftpuser:test
Open the terminal, cd to the pureftpd directory , and type make; make install
The pureftpd directory is a modified code for the PoC , with the following modifications:
- Smaller reply buffer , to make it easier to show a readable filename.
- Modified response strings, to fit in the smaller buffer.