CrushFTP Unauthenticated RCE
Description
This exploit module leverages an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability (CVE-2023-43177) to achieve unauthenticated remote code execution. This affects CrushFTP versions prior to 10.5.1. It is possible to set some user's session properties by sending an HTTP request with specially crafted Header key-value pairs. This enables an unauthenticated attacker to access files anywhere on the server file system and steal the session cookies of valid authenticated users. The attack consists in hijacking a user's session and escalates privileges to obtain full control of the target. Remote code execution is obtained by abusing the dynamic SQL driver loading and configuration testing feature.
Author(s)
- Ryan Emmons
- Christophe De La Fuente
Platform
Java,Linux,Unix,Windows
Architectures
java, x64, x86
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/multi/http/crushftp_rce_cve_2023_43177
msf exploit(crushftp_rce_cve_2023_43177) > show targets
...targets...
msf exploit(crushftp_rce_cve_2023_43177) > set TARGET < target-id >
msf exploit(crushftp_rce_cve_2023_43177) > show options
...show and set options...
msf exploit(crushftp_rce_cve_2023_43177) > exploit
- Collect and share all the information you need to conduct a successful and efficient penetration test
- Simulate complex attacks against your systems and users
- Test your defenses to make sure they’re ready
- Automate Every Step of Your Penetration Test
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security