POC详情: 8acbad2e7653a6730fedbd6c04ce890aed074174

来源
https://github.com/jakabakos/CVE-2024-4040-CrushFTP-File-Read-vulnerability
关联漏洞
标题: CrushFTP 代码注入漏洞 (CVE-2024-4040)
描述:CrushFTP是一款文件传输服务器。 CrushFTP 10.7.1 和 11.1.0 之前版本存在安全漏洞,该漏洞源于允许低权限的远程攻击者从 VFS 沙箱之外的文件系统读取文件。
介绍
# CVE-2024-4040: CrushFTP File Read Vulnerability

## Overview

On April 19, 2024, a new zero-day vulnerability affecting CrushFTP versions below 10.7.1 and 11.1.0, as well as legacy 9.x versions, was disclosed to a private mailing list by the managed file transfer vendor CrushFTP. Initially, no CVE was assigned by the vendor, but CVE-2024-4040 was later issued by a third-party CVE Numbering Authority (CNA) on April 22.

This exploit script is written for a CVE analysis on [vsociety](https://www.vicarius.io/vsociety/).

## Impact

As reported by Rapid7, CrowdStrike, and added to the CISA KEV, CVE-2024-4040 has been actively exploited in the wild. Airbus CERT, who discovered the issue, released proof-of-concept code on April 23. Over 5,200 instances of CrushFTP exposed to the public internet are potentially at risk.

## Fixed Versions

- CrushFTP 10.7.1
- CrushFTP 11.1.0

Users of affected versions are urged to update immediately to mitigate the risk associated with this vulnerability.

## Features

- **Read Files**: Allows you to specify a file path on the server to read.
- **Get Admin Session**: Attempts to retrieve admin session tokens from the server.
- **Vulnerability Check**: Checks if the CrushFTP instance is vulnerable to the exploit.

## Prerequisites

Before you begin, ensure you have the following installed:
- Python 3.6 or higher
- `requests` library

You can install the required Python libraries using pip:

```bash
pip install requests
```

## Usage

To use the script, you need to pass certain parameters based on what you want to achieve. Below are the usage instructions for each feature:

#### General Usage

```bash
python exploit.py -t <target-url>
```

#### Reading a File

```bash
python exploit.py -t <target-url> -r <path-to-file>
```
#### Obtaining session tokens

The script first downloads the `sessions.obj` serialized Java file that contains the session tokens.
```bash
python exploit.py -t <target-url> -s
```

#### Performing a vulnerability check

```bash
python exploit.py -t <target-url> -c
```

# Disclaimer

This exploit script has been created solely for the purposes of research and for the development of effective defensive techniques. It is not intended to be used for any malicious or unauthorized activities. The author and owner of the script disclaim any responsibility or liability for any misuse or damage caused by this software. Users are urged to use this software responsibly and only in accordance with applicable laws and regulations.
文件快照

 [4.0K]  /data/pocs/8acbad2e7653a6730fedbd6c04ce890aed074174
├── [3.9K]  exploit.py
├── [2.5K]  README.md
└── [1.3K]  xdetection.py

0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。