module

CrushFTP Unauthenticated RCE

Try Surface Command
Back to search
Disclosed
08/08/2023
Created
04/12/2024

Description

This exploit module leverages an Improperly Controlled Modification
of Dynamically-Determined Object Attributes vulnerability
(CVE-2023-43177) to achieve unauthenticated remote code execution.
This affects CrushFTP versions prior to 10.5.1.

It is possible to set some user's session properties by sending an HTTP
request with specially crafted Header key-value pairs. This enables an
unauthenticated attacker to access files anywhere on the server file
system and steal the session cookies of valid authenticated users. The
attack consists in hijacking a user's session and escalates privileges
to obtain full control of the target. Remote code execution is obtained
by abusing the dynamic SQL driver loading and configuration testing
feature.

Authors

Ryan EmmonsChristophe De La Fuente

Platform

Java,Linux,Unix,Windows

Architectures

java, x64, x86

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


    msf > use exploit/multi/http/crushftp_rce_cve_2023_43177
    msf /(7) > show actions
        ...actions...
    msf /(7) > set ACTION < action-name >
    msf /(7) > show options
        ...show and set options...
    msf /(7) > run
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today