说明：由于 Proftpd Bugs 也就是参考[1]有内容说明，

On 6 November 2006, Evgeny Legerov [email protected] posted to BUGTRAQ, announcing his commercial VulnDisco Pack for Metasploit 2.7. One of the included exploits, vd_proftpd.pm, takes advantage of an off-by-one string manipulation flaw in ProFTPD's sreplace() function to allow a remote attacker to execute arbitrary code.

This vulnerabillity, identified as CVE-2006-5815, is believed to affect all versions of ProFTPD up to and including 1.3.0, but exploitability has only been demonstrated with version 1.3.0rc3. The demonstrated exploit relies on write access via FTP for exploitability, but other attack vectors may make exploitation of a read-only FTP server possible.

只有1.3.0rc3可以被攻破，所以我们就以1.3.0rc3的源码进行分析！

OS: Ubuntu 14.04 LTS

1. ./configure --prefix=/usr/local/proftpd (这里最好加上地址，否则软件会安装到 /usr/local/ 中，而不会自己建立目录！)
2. make
3. sudo make install

sudo /usr/local/sbin/proftpd

1. Vulnerability in Rapid

2. Exploit in Rapid

3. ProFTPD 1.3.0 in exploit-db

4. ProFTPD 1.3.0 on Github

下面是攻击开始之后显示的效果：

[*] Started reverse TCP handler on 114.212.83.152:4444 
[*] 114.212.83.144:21 - Automatically detecting the target...
[-] 114.212.83.144:21 - Exploit aborted due to failure: no-target: No matching target
[*] Exploit completed, but no session was created.

根据打印内容的提示，我找到了POC（ruby文件）中对应的的代码块。如下所示，

      print_status("Automatically detecting the target...")
      if (banner and (m = banner.match(/ProFTPD (1\.3\.[23][^ ]) Server/i))) then
        print_status("FTP Banner: #{banner.strip}")
        version = m[1]
      else
        fail_with(Failure::NoTarget, "No matching target")
      end

为什么会卡在这个地方 - "No matching target"？

Patch 内容在本文件同级目录中，名为 "Fix for CVE-2006-5815"。结合着Patch和参考[2]去理解这个漏洞的整个发生过程。

[1] Proftpd Bugs [2] sebug Exploits-Archives