## https://sploitus.com/exploit?id=5029566B-1AEF-585D-BD6D-B8728F162EAB
# CVE-2024-4040-RCE-POC
CVE-2024-4040 (CrushFTP VFS escape) or (CrushFTP unauthenticated RCE)
This script attempts to execute command on affected installation of the crushftp.
and ofcourse no authentication and/or user interaction is needed to acheive RCE.
you can execute command on multiple ip adresses in multi-threading functionality.
## Usage:
```
python CVE-2024-4040.py -f (ip list) -c (command, better put inside "")
```
according to shodan there are [~7000](https://www.shodan.io/search?query=http.favicon.hash%3A-1022206565) exposed CrushFTP servers on internet.
I included the results of shodan inside ip.txt file in this download
* shodan dork: "http.favicon.hash:-1022206565"
## [Download: ](https://bit.ly/3Jzu3uO)
[here: ](https://bit.ly/3Jzu3uO)