Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-4040 PoC — CrushFTP 代码注入漏洞

Source
https://github.com/jakabakos/CVE-2024-4040-CrushFTP-File-Read-vulnerability
Associated Vulnerability
Title:CrushFTP 代码注入漏洞 (CVE-2024-4040)
Description:CrushFTP是一款文件传输服务器。 CrushFTP 10.7.1 和 11.1.0 之前版本存在安全漏洞,该漏洞源于允许低权限的远程攻击者从 VFS 沙箱之外的文件系统读取文件。
Readme
# CVE-2024-4040: CrushFTP File Read Vulnerability

## Overview

On April 19, 2024, a new zero-day vulnerability affecting CrushFTP versions below 10.7.1 and 11.1.0, as well as legacy 9.x versions, was disclosed to a private mailing list by the managed file transfer vendor CrushFTP. Initially, no CVE was assigned by the vendor, but CVE-2024-4040 was later issued by a third-party CVE Numbering Authority (CNA) on April 22.

This exploit script is written for a CVE analysis on [vsociety](https://www.vicarius.io/vsociety/).

## Impact

As reported by Rapid7, CrowdStrike, and added to the CISA KEV, CVE-2024-4040 has been actively exploited in the wild. Airbus CERT, who discovered the issue, released proof-of-concept code on April 23. Over 5,200 instances of CrushFTP exposed to the public internet are potentially at risk.

## Fixed Versions

- CrushFTP 10.7.1
- CrushFTP 11.1.0

Users of affected versions are urged to update immediately to mitigate the risk associated with this vulnerability.

## Features

- **Read Files**: Allows you to specify a file path on the server to read.
- **Get Admin Session**: Attempts to retrieve admin session tokens from the server.
- **Vulnerability Check**: Checks if the CrushFTP instance is vulnerable to the exploit.

## Prerequisites

Before you begin, ensure you have the following installed:
- Python 3.6 or higher
- `requests` library

You can install the required Python libraries using pip:

```bash
pip install requests
```

## Usage

To use the script, you need to pass certain parameters based on what you want to achieve. Below are the usage instructions for each feature:

#### General Usage

```bash
python exploit.py -t <target-url>
```

#### Reading a File

```bash
python exploit.py -t <target-url> -r <path-to-file>
```
#### Obtaining session tokens

The script first downloads the `sessions.obj` serialized Java file that contains the session tokens.
```bash
python exploit.py -t <target-url> -s
```

#### Performing a vulnerability check

```bash
python exploit.py -t <target-url> -c
```

# Disclaimer

This exploit script has been created solely for the purposes of research and for the development of effective defensive techniques. It is not intended to be used for any malicious or unauthorized activities. The author and owner of the script disclaim any responsibility or liability for any misuse or damage caused by this software. Users are urged to use this software responsibly and only in accordance with applicable laws and regulations.
File Snapshot

 [4.0K]  /data/pocs/8acbad2e7653a6730fedbd6c04ce890aed074174
├── [3.9K]  exploit.py
├── [2.5K]  README.md
└── [1.3K]  xdetection.py

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.