Exploit for CVE-2024-4040 – Authentication bypass in CrushFTP via CrushAuth cookie and AWS-style header spoofing. Stealthy Python PoC with secure token generation, SSL bypass, and improved output.# CVE-2024-4040 — CrushFTP Authentication Bypass Exploit
This repository contains a stealthy Python proof-of-concept (PoC) exploit for **CVE-2024-4040**, a critical vulnerability in CrushFTP (v10 and below) that allows an attacker to bypass authentication using a forged `CrushAuth` cookie and AWS-style `Authorization` header.
## 🚨 Vulnerability Summary
> An unauthenticated attacker can bypass authentication in vulnerable CrushFTP instances by crafting a specific cookie/header combination, gaining unauthorized access to internal web functions.
- **CVE ID**: [CVE-2024-4040](https://nvd.nist.gov/vuln/detail/CVE-2024-4040)
- **Severity**: Critical (CVSS 9.8)
- **Affected**: CrushFTP v10.x (prior to official patch)
---
## ⚙️ Features
- ✅ Python 3.x PoC
- ✅ Secure `CrushAuth` generation using `secrets`
- ✅ Valid AWS-style spoofed `Authorization` header
- ✅ Built-in SSL bypass with suppression
- ✅ No external dependencies (only `requests`)
- ✅ Clean console output with status and detection
---
## 🛠 Usage
```bash
python3 CVE-2024-4040.py http://target-ip:8080 --valid_username crushadmin
```
`target_url` — Base URL of the CrushFTP server
`--valid_username` — Known valid user (default: crushadmin)
---
🔍 Example Output
```
[*] CrushFTP Authentication Bypass Exploit
[*] Targeting: http://192.168.1.10:8080
[*] Using username: crushadmin
[+] Exploit Result:
Status_Code : 200
Response_Text : {"getUserNameResponse":{"user_name":"crushadmin"}}
[+] CrushFTP Server is VULNERABLE!
```
---
## ⚠️ Legal Notice
This code is for educational and authorized security testing purposes only.
Do not use against systems you do not own or have explicit permission to test.
---
## 🙏 Credits
PoC Refactor: illdeed
[4.0K] /data/pocs/89eefce71078dbd7ff09d2122df8192a7fe46f7f
├── [3.2K] CVE-2024-4040.py
├── [1.0K] LICENSE
└── [1.7K] README.md
0 directories, 3 files