## https://sploitus.com/exploit?id=1D7155DA-8DC4-5AF6-AC1E-E7AF82084B18
# CVE-2024-48208
The repo contains a dockerfile , to spin up a container for tersting and working on the CVE-2024-48208
### Attack path:
1. Reproduce CVE : done
2. Understand what are we reading from the OOB read: Done(Reading the reply buf)
3. Understand how can the user modify the buffer: Done (The replybuffer contans the reply from the last request)
4. Make a directory with CRLF chars: Done (Python script)
5. Check if the chdir() is successful: Done
6. Setup EPSV mode , and response to check the response: Done (the dirname changes with every exploit rn)
7. Chevck if we can replicate this for restricted directories: (Done with a directory owned by ftpuser2)
8. Present as pivot from the original CVE OOB read to Jail escape/Broken access control: (Done)
9. Exploit automation (Done)
### Building the environment:
`sudo docker build -t pure-ftpd-vuln .`
`sudo docker run -d -p 21:21 -it --name pure-ftpd-vuln pure-ftpd-vuln`
### Accessing FTP:
Open the terminal , and type `ftp <Docker-Interface-IP>`
Type the following username and password: `ftpuser:test`
### Building FTP locally:
Open the terminal, cd to the pureftpd directory , and type `make; make install`
The pureftpd directory is a modified code for the PoC , with the following modifications:
1. Smaller reply buffer , to make it easier to show a readable filename.
2. Modified response strings, to fit in the smaller buffer.