proftp module updates

modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/manifests/config.pp

@@ -3,13 +3,29 @@ class proftpd_133c_backdoor::config {
   $raw_org = $secgen_parameters['organisation']
   $leaked_filenames = $secgen_parameters['leaked_filenames']
   $strings_to_leak = $secgen_parameters['strings_to_leak']
+  $strings_to_pre_leak = $secgen_parameters['strings_to_pre_leak']
+  $pre_leaked_filenames = $secgen_parameters['pre_leaked_filenames']
 
   if $raw_org and $raw_org[0] and $raw_org[0] != '' {
     $organisation = parsejson($raw_org[0])
   } else {
     $organisation = ''
   }
-    file { '/etc/proftpd/proftpd.conf':
+
+  $anon_user = 'ftp' #$secgen_parameters['leaked_username'][0]
+  $anon_user_home = "/home/$anon_user"
+
+  Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] }
+
+  # Create user
+  user { $anon_user:
+    ensure     => present,
+    home       => "$anon_user_home",
+    managehome => true,
+  } ->
+
+
+  file { '/etc/proftpd/proftpd.conf':
     ensure   => present,
     owner    => 'root',
     group    => 'root',
@@ -24,4 +40,11 @@ class proftpd_133c_backdoor::config {
     leaked_from       => "proftpd_133c_backdoor",
     mode              => '0600'
   }
+  ::secgen_functions::leak_files { 'proftpd_133c_backdoor-file-pre-leak':
+    storage_directory => $anon_user_home,
+    leaked_filenames  => $pre_leaked_filenames,
+    strings_to_leak   => $strings_to_pre_leak,
+    leaked_from       => "proftpd_133c_backdoor-pre",
+    mode              => '0600'
+  }
 }

modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/secgen_metadata.xml

@@ -22,6 +22,8 @@
   <read_fact>leaked_filenames</read_fact>
   <read_fact>welcome_msg</read_fact>
   <read_fact>port</read_fact>
+  <read_fact>strings_to_pre_leak</read_fact>
+  <read_fact>pre_leaked_filenames</read_fact>
 
   <!-- No organisation by default, overrides other values if provided through scenario. -->
   <read_fact>organisation</read_fact>
@@ -41,11 +43,20 @@
     <generator type="filename_generator"/>
   </default_input>
 
-
   <default_input into="welcome_msg">
     <generator type="message_generator"/>
   </default_input>
 
+  <!-- pre-leaked, these details are leaked before the main vuln is exploited, for example hidden content or hosted files -->
+  <default_input into="strings_to_pre_leak">
+    <generator type="message_generator"/>
+  </default_input>
+
+  <default_input into="pre_leaked_filenames">
+    <value>note</value>
+  </default_input>
+
+
   <!--optional vulnerability details-->
   <!--<cve></cve>-->
   <cvss_base_score>10</cvss_base_score>

modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/templates/proftpd.erb

@@ -156,46 +156,46 @@ SystemLog   /var/log/proftpd/proftpd.log
 
   # A basic anonymous configuration, no upload directories.
 
-  # <Anonymous ~ftp>
-  #   User				ftp
-  #   Group				nogroup
-  #   # We want clients to be able to login with "anonymous" as well as "ftp"
-  #   UserAlias			anonymous ftp
-  #   # Cosmetic changes, all files belongs to ftp user
-  #   DirFakeUser	on ftp
-  #   DirFakeGroup on ftp
-  #
-  #   RequireValidShell		off
-  #
-  #   # Limit the maximum number of anonymous logins
-  #   MaxClients			10
-  #
-  #   # We want 'welcome.msg' displayed at login, and '.message' displayed
-  #   # in each newly chdired directory.
-  #   DisplayLogin			welcome.msg
-  #   DisplayChdir		.message
-  #
-  #   # Limit WRITE everywhere in the anonymous chroot
-  #   <Directory *>
-  #     <Limit WRITE>
-  #       DenyAll
-  #     </Limit>
-  #   </Directory>
-  #
-  #   # Uncomment this if you're brave.
-  #   # <Directory incoming>
-  #   #   # Umask 022 is a good standard umask to prevent new files and dirs
-  #   #   # (second parm) from being group and world writable.
-  #   #   Umask				022  022
-  #   #            <Limit READ WRITE>
-  #   #            DenyAll
-  #   #            </Limit>
-  #   #            <Limit STOR>
-  #   #            AllowAll
-  #   #            </Limit>
-  #   # </Directory>
-  #
-  # </Anonymous>
+  <Anonymous ~<%= @anon_user %>>
+    User				<%= @anon_user %>
+    Group				nogroup
+    # We want clients to be able to login with "anonymous" as well as "ftp"
+    UserAlias			anonymous <%= @anon_user %>
+    # Cosmetic changes, all files belongs to ftp user
+    DirFakeUser	on <%= @anon_user %>
+    DirFakeGroup on <%= @anon_user %>
+
+    RequireValidShell		off
+
+    # Limit the maximum number of anonymous logins
+    MaxClients			10
+
+    # We want 'welcome.msg' displayed at login, and '.message' displayed
+    # in each newly chdired directory.
+    DisplayLogin			welcome.msg
+    DisplayChdir		.message
+
+    # Limit WRITE everywhere in the anonymous chroot
+    <Directory *>
+     <Limit WRITE>
+       DenyAll
+     </Limit>
+    </Directory>
+
+    # Uncomment this if you're brave.
+    # <Directory incoming>
+    #   # Umask 022 is a good standard umask to prevent new files and dirs
+    #   # (second parm) from being group and world writable.
+    #   Umask				022  022
+    #            <Limit READ WRITE>
+    #            DenyAll
+    #            </Limit>
+    #            <Limit STOR>
+    #            AllowAll
+    #            </Limit>
+    # </Directory>
+
+  </Anonymous>
 
   # Include other custom configuration files
   Include /etc/proftpd/conf.d/

modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/files/proftpd.init.d

@@ -0,0 +1,223 @@
+#!/bin/sh 
+
+### BEGIN INIT INFO
+# Provides:          proftpd
+# Required-Start:    $remote_fs $syslog $local_fs $network
+# Required-Stop:     $remote_fs $syslog $local_fs $network
+# Should-Start:      $named
+# Should-Stop:       $named
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Starts ProFTPD daemon
+# Description:       This script runs the FTP service offered
+#                    by the ProFTPD daemon
+### END INIT INFO
+
+# Start the proftpd FTP daemon.
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+DAEMON=/usr/local/sbin/proftpd
+NAME=proftpd
+
+# Defaults
+RUN="no"
+OPTIONS=""
+CONFIG_FILE=/etc/proftpd/proftpd.conf
+
+PIDFILE=`grep -i 'pidfile' $CONFIG_FILE|sed -e 's/pidfile[\t ]\+//i'`
+if [ "x$PIDFILE" = "x" ];
+then
+	PIDFILE=/var/run/proftpd.pid
+fi
+
+# Read config (will override defaults)
+[ -r /etc/default/proftpd ] && . /etc/default/proftpd
+
+trap "" 1
+trap "" 15
+
+test -f $DAEMON || exit 0
+
+. /lib/lsb/init-functions
+
+#
+# Servertype could be inetd|standalone|none.
+# In all cases check against inetd and xinetd support.
+#
+if ! egrep -qi "^[[:space:]]*ServerType.*standalone" $CONFIG_FILE
+then
+	if egrep -qi "server[[:space:]]*=[[:space:]]*/usr/sbin/proftpd" /etc/xinetd.conf 2>/dev/null || \
+	   egrep -qi "server[[:space:]]*=[[:space:]]*/usr/sbin/proftpd" /etc/xinetd.d/* 2>/dev/null || \
+       egrep -qi "^ftp.*/usr/sbin/proftpd" /etc/inetd.conf 2>/dev/null
+	then
+    		RUN="no"
+    		INETD="yes"
+	else
+		if ! egrep -qi "^[[:space:]]*ServerType.*inetd" $CONFIG_FILE
+		then
+    		RUN="yes"
+			INETD="no"
+		else
+			RUN="no"
+			INETD="no"
+		fi
+	fi
+fi
+
+# /var/run could be on a tmpfs
+
+[ ! -d /var/run/proftpd ] && mkdir /var/run/proftpd
+
+inetd_check()
+{
+	if [ ! -x /usr/sbin/inetd -a ! -x /usr/sbin/xinetd ]; then
+		echo "Neither inetd nor xinetd appears installed: check your configuration."
+	fi
+}
+
+start()
+{
+    log_daemon_msg "Starting ftp server" "$NAME"
+
+    start-stop-daemon --start --quiet --pidfile "$PIDFILE" --oknodo --exec $DAEMON -- -c $CONFIG_FILE $OPTIONS  
+    if [ $? != 0 ]; then
+        log_end_msg 1
+        exit 1
+    else
+        log_end_msg 0
+    fi
+}
+
+signal()
+{
+
+    if [ "$1" = "stop" ]; then
+		SIGNAL="TERM"
+    	log_daemon_msg "Stopping ftp server" "$NAME"
+    else
+	if [ "$1" = "reload" ]; then
+	    SIGNAL="HUP"
+    	log_daemon_msg "Reloading ftp server" "$NAME"
+	else
+	    echo "ERR: wrong parameter given to signal()"
+	    exit 1
+	fi
+    fi
+    if [ -f "$PIDFILE" ]; then
+    	start-stop-daemon --stop --signal $SIGNAL --quiet --pidfile "$PIDFILE"
+   	 if [ $? = 0 ]; then
+        	log_end_msg 0
+    	else
+		SIGNAL="KILL"
+		start-stop-daemon --stop --signal $SIGNAL --quiet --pidfile "$PIDFILE"
+    		if [ $? != 0 ]; then
+        		log_end_msg 1
+        		[ $2 != 0 ] || exit 0
+    		else
+        		log_end_msg 0
+    		fi
+    	fi
+   	if [ "$SIGNAL" = "KILL" ]; then
+		rm -f "$PIDFILE"
+    	fi
+    else
+        log_end_msg 0
+    fi
+}
+
+case "$1" in
+    start)
+	if [ "x$RUN" = "xyes" ] ; then
+	    start
+	else
+	    start
+#	    if [ "x$INETD" = "xyes" ] ; then
+#		echo "ProFTPD is started from inetd/xinetd."
+#		inetd_check
+#	    else
+#	    	echo "ProFTPD warning: cannot start neither in standalone nor in inetd/xinetd mode. Check your configuration."
+#	    fi
+	fi
+	;;
+
+    force-start)
+	if [ "x$INETD" = "xyes" ] ; then
+	    echo "Warning: ProFTPD is started from inetd/xinetd (trying to start anyway)."
+		inetd_check
+	fi
+	start
+	;;	
+    
+    stop)
+	if [ "x$RUN" = "xyes" ] ; then
+	    signal stop 0
+	else
+	    if [ "x$INETD" = "xyes" ] ; then
+		echo "ProFTPD is started from inetd/xinetd."
+		inetd_check
+	    else 
+	    	echo "ProFTPD warning: cannot start neither in standalone nor in inetd/xinetd mode. Check your configuration."
+	    fi
+	fi
+	;;
+
+    force-stop)
+	if [ "x$INETD" = "xyes" ] ; then
+	    echo "Warning: ProFTPD is started from inetd/xinetd (trying to kill anyway)."
+		inetd_check
+	fi
+	signal stop 0
+	;;
+
+    reload)
+	signal reload 0
+	;;
+
+    force-reload|restart)
+	if [ "x$RUN" = "xyes" ] ; then
+	    signal stop 1
+	    sleep 2
+	    start
+	else
+	    if [ "x$INETD" = "xyes" ] ; then
+		echo "ProFTPD is started from inetd/xinetd."
+		inetd_check
+	    else 
+	    	echo "ProFTPD warning: cannot start neither in standalone nor in inetd/xinetd mode. Check your configuration."
+	    fi
+	fi
+	;;
+
+    status)
+	if [ "x$INETD" = "xyes" ] ; then
+	    echo "ProFTPD is started from inetd/xinetd."
+		inetd_check
+		exit 0
+	else 
+	    if [ -f "$PIDFILE" ]; then
+	    	pid=$(cat $PIDFILE)
+	    else
+	    	pid="x"
+	    fi
+	    if [ `pidof proftpd|grep "$pid"|wc -l` -ne 0 ] ; then
+	    	echo "ProFTPD is started in standalone mode, currently running."
+			exit 0
+	    else
+	    	echo "ProFTPD is started in standalone mode, currently not running."
+			exit 3
+	    fi
+	fi
+	;;
+
+    check-config)
+        $DAEMON -t >/dev/null && echo "ProFTPD configuration OK" && exit 0
+        exit 1
+        ;;
+
+    *)
+	echo "Usage: /etc/init.d/$NAME {start|status|force-start|stop|force-stop|reload|restart|force-reload|check-config}"
+	exit 1
+	;;
+esac
+
+exit 0

modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/manifests/config.pp

@@ -0,0 +1,59 @@
+class proftpd_133c_backdoor_nonroot::config {
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $raw_org = $secgen_parameters['organisation']
+  $leaked_filenames = $secgen_parameters['leaked_filenames']
+  $strings_to_leak = $secgen_parameters['strings_to_leak']
+  $strings_to_pre_leak = $secgen_parameters['strings_to_pre_leak']
+  $pre_leaked_filenames = $secgen_parameters['pre_leaked_filenames']
+
+  if $raw_org and $raw_org[0] and $raw_org[0] != '' {
+    $organisation = parsejson($raw_org[0])
+  } else {
+    $organisation = ''
+  }
+
+  $anon_user = 'anon' #$secgen_parameters['leaked_username'][0]
+  $anon_user_home = "/home/$anon_user"
+  $deploy_user = 'ftp'
+  $deploy_user_home = "/home/$deploy_user"
+
+  Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] }
+
+  # Create user
+  user { $anon_user:
+    ensure     => present,
+    home       => "$anon_user_home",
+    managehome => true,
+  } ->
+  user { $deploy_user:
+    ensure     => present,
+    home       => "$deploy_user_home",
+    managehome => true,
+  } ->
+
+
+
+  file { '/etc/proftpd/proftpd.conf':
+    ensure   => present,
+    owner    => 'root',
+    group    => 'root',
+    mode     => '0644',
+    content  => template('proftpd_133c_backdoor_nonroot/proftpd.erb')
+  }
+
+  ::secgen_functions::leak_files { 'proftpd_133c_backdoor_nonroot-file-leak':
+    storage_directory => '/root',
+    leaked_filenames  => $leaked_filenames,
+    strings_to_leak   => $strings_to_leak,
+    leaked_from       => "proftpd_133c_backdoor_nonroot",
+    mode              => '0600'
+  }
+  ::secgen_functions::leak_files { 'proftpd_133c_backdoor_nonroot-file-pre-leak':
+    storage_directory => $anon_user_home,
+    leaked_filenames  => $pre_leaked_filenames,
+    strings_to_leak   => $strings_to_pre_leak,
+    leaked_from       => "proftpd_133c_backdoor_nonroot-pre",
+    mode              => '0644',
+    owner             => $anon_user
+  }
+}

modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/manifests/install.pp

@@ -0,0 +1,72 @@
+class proftpd_133c_backdoor_nonroot::install {
+
+  # Install ProFTPd 1.3.3c backdoored version from source tar
+
+  file { '/usr/local/src/proftpd-1.3.3c.tar.gz':
+    owner  => root,
+    group  => root,
+    mode   => '0775',
+    ensure => file,
+    source => 'puppet:///modules/proftpd_133c_backdoor_nonroot/proftpd-1.3.3c.tar.gz',
+    notify => Exec['unpack'],
+  }
+
+  exec { 'unpack':
+    cwd     => '/usr/local/src',
+    command => 'tar -xzvf proftpd-1.3.3c.tar.gz',
+    creates => '/usr/local/src/backdoored_proftpd-1.3.3c/',
+    path    => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ],
+    notify  => Exec['install_proftpd-1.3.3c'],
+  }
+
+  ensure_packages('build-essential')
+  ensure_packages('gcc-multilib')
+
+  exec { 'install_proftpd-1.3.3c':
+    cwd     => '/usr/local/src/backdoored_proftpd-1.3.3c/',
+    command => '/usr/local/src/backdoored_proftpd-1.3.3c/configure', #--prefix=/usr/local/
+    notify  => Exec['make_proftpd-1.3.3c'],
+    require => Package['build-essential', 'gcc-multilib'],
+  }
+
+  exec { 'make_proftpd-1.3.3c':
+    require     => Exec['install_proftpd-1.3.3c'],
+    cwd         => '/usr/local/src/backdoored_proftpd-1.3.3c/',
+    command     => '/usr/bin/make',
+    notify      => Exec['make_install_proftpd-1.3.3c'],
+  }
+
+  exec { 'make_install_proftpd-1.3.3c':
+    require     => Exec['install_proftpd-1.3.3c'],
+    cwd         => '/usr/local/src/backdoored_proftpd-1.3.3c/',
+    command     => '/usr/bin/make install',
+    notify      => File['/etc/init.d/proftpd'],
+  }
+
+  # ProFTPd init.d service installation
+
+  file { '/etc/init.d/proftpd':
+    require => Exec['make_install_proftpd-1.3.3c'],
+    path    => '/etc/init.d/proftpd',
+    owner   => root,
+    group   => root,
+    mode    => '0755',
+    ensure  => file,
+    source  => 'puppet:///modules/proftpd_133c_backdoor_nonroot/proftpd.init.d',
+  }
+
+  # Required log and config files/directories
+
+  file { ['/etc/proftpd', '/var/log/proftpd', '/var/log/proftpd/xferlog', '/etc/proftpd/conf.d/']:
+    ensure => directory,
+  }
+
+  file { [ '/etc/proftpd/modules.conf', '/var/log/proftpd/proftpd.log']:
+    ensure => file,
+  }
+
+  # Cleanup
+  exec { 'directory-cleanup':
+    command => '/bin/rm /usr/local/src/* -rf',
+  }
+}

modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/manifests/service.pp

@@ -0,0 +1,7 @@
+class proftpd_133c_backdoor_nonroot::service {
+  service { 'proftpd':
+    ensure  => running,
+    enable  => true,
+    require => File['/etc/init.d/proftpd','/etc/proftpd/proftpd.conf'],
+  }
+}

modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/proftpd_133c_backdoor_nonroot.pp

@@ -0,0 +1,3 @@
+include proftpd_133c_backdoor_nonroot::install
+include proftpd_133c_backdoor_nonroot::config
+include proftpd_133c_backdoor_nonroot::service

modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/secgen_metadata.xml

@@ -0,0 +1,87 @@
+<?xml version="1.0"?>
+
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
+  <name>ProFTPD v1.3.3c Backdoor Command Execution</name>
+  <author>Thomas Shaw</author>
+  <author>Jason Keighley</author>
+  <module_license>MIT</module_license>
+  <description>A backdoor was introduced into the proftpd-1.3.3c.tar.[bz2|gz] archive between November 28th and December
+    2nd 2010.
+  </description>
+
+  <type>ftp</type>
+  <privilege>root_rwx</privilege>
+  <access>remote</access>
+  <platform>linux</platform>
+  <difficulty>low</difficulty>
+
+  <read_fact>server_name</read_fact>
+  <read_fact>strings_to_leak</read_fact>
+  <read_fact>leaked_filenames</read_fact>
+  <read_fact>welcome_msg</read_fact>
+  <read_fact>port</read_fact>
+  <read_fact>strings_to_pre_leak</read_fact>
+  <read_fact>pre_leaked_filenames</read_fact>
+
+  <!-- No organisation by default, overrides other values if provided through scenario. -->
+  <read_fact>organisation</read_fact>
+
+  <default_input into="port">
+    <value>21</value>
+  </default_input>
+
+  <default_input into="server_name">
+    <generator type="username_generator"/>
+  </default_input>
+
+  <default_input into="strings_to_leak">
+    <generator type="message_generator"/>
+  </default_input>
+  <default_input into="leaked_filenames">
+    <generator type="filename_generator"/>
+  </default_input>
+
+  <default_input into="welcome_msg">
+    <generator type="message_generator"/>
+  </default_input>
+
+  <!-- pre-leaked, these details are leaked before the main vuln is exploited, for example hidden content or hosted files -->
+  <default_input into="strings_to_pre_leak">
+    <generator type="message_generator"/>
+  </default_input>
+
+  <default_input into="pre_leaked_filenames">
+    <value>note</value>
+  </default_input>
+
+
+  <!--optional vulnerability details-->
+  <!--<cve></cve>-->
+  <cvss_base_score>10</cvss_base_score>
+  <cvss_vector>AV:N/AC:L/Au:N/C:C/I:C/A:C</cvss_vector>
+  <reference>https://www.rapid7.com/db/modules/exploit/unix/ftp/proftpd_133c_backdoor</reference>
+  <software_name>proftpd</software_name>
+  <software_license>GPL</software_license>
+
+  <!--optional hints-->
+  <!--<msf_module>exploits/unix/ftp/proftpd_133c_backdoor.rb</msf_module>-->
+  <hint>A backdoor in a service</hint>
+  <solution>Remotely exploitable backdoor in the FTP service</solution>
+
+  <!--Cannot co-exist with other installations-->
+  <conflict>
+    <software_name>proftpd</software_name>
+  </conflict>
+  <!--Cannot co-exist with other ftp servers (default to same ports)-->
+  <conflict>
+    <type>^ftp$</type>
+  </conflict>
+
+
+  <requires>
+    <type>update</type>
+  </requires>
+
+</vulnerability>

modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/secgen_test/proftpd_133c_backdoor.rb

@@ -0,0 +1,16 @@
+require_relative '../../../../../lib/post_provision_test'
+
+class Proftpd133cBackdoorTest < PostProvisionTest
+  def initialize
+    self.module_name = 'proftpd_133c_backdoor_nonroot'
+    self.module_path = get_module_path(__FILE__)
+    super
+  end
+
+  def test_module
+    super
+    test_service_up
+  end
+end
+
+Proftpd133cBackdoorTest.new.run

modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/templates/proftpd.erb

@@ -0,0 +1,201 @@
+<%  $port = @secgen_parameters['port'].first
+
+    if @organisation and @organisation != ''
+      $welcome_msg = "Welcome to the #{@organisation['business_name']} FTP server!"
+      $server_name = @organisation['domain']
+    else
+      $server_name = @secgen_parameters['server_name'].first
+      $welcome_msg = @secgen_parameters['welcome_msg'].first
+    end
+-%>
+#
+# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
+# To really apply changes, reload proftpd after modifications, if
+# it runs in daemon mode. It is not required in inetd/xinetd mode.
+#
+
+# Includes DSO modules
+Include /etc/proftpd/modules.conf
+
+# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
+UseIPv6				off
+# If set on you can experience a longer connection delay in many cases.
+IdentLookups			off
+
+ServerName			"<%=$server_name%>"
+ServerType			standalone
+DeferWelcome			off
+
+MultilineRFC2228		on
+DefaultServer			on
+ShowSymlinks			on
+
+TimeoutNoTransfer		600
+TimeoutStalled			600
+TimeoutIdle			1200
+
+DisplayLogin                    welcome.msg
+DisplayChdir               	.message true
+ListOptions                	"-l"
+
+DenyFilter			\*.*/
+
+AccessGrantMsg			"<%=$welcome_msg.gsub("\n", '\n')%>"
+
+# Use this to jail all users in their homes
+# DefaultRoot			~
+
+# Users require a valid shell listed in /etc/shells to login.
+# Use this directive to release that constrain.
+# RequireValidShell		off
+
+# Port 21 is the standard FTP port.
+Port				<%=$port%>
+
+# In some cases you have to specify passive ports range to by-pass
+# firewall limitations. Ephemeral ports can be used for that, but
+# feel free to use a more narrow range.
+# PassivePorts                  49152 65534
+
+# If your host was NATted, this option is useful in order to
+# allow passive tranfers to work. You have to use your public
+# address and opening the passive ports used on your firewall as well.
+# MasqueradeAddress		1.2.3.4
+
+# This is useful for masquerading address with dynamic IPs:
+# refresh any configured MasqueradeAddress directives every 8 hours
+<IfModule mod_dynmasq.c>
+  # DynMasqRefresh 28800
+</IfModule>
+
+# To prevent DoS attacks, set the maximum number of child processes
+# to 30.  If you need to allow more than 30 concurrent connections
+# at once, simply increase this value.  Note that this ONLY works
+# in standalone mode, in inetd mode you should use an inetd server
+# that allows you to limit maximum number of processes per service
+# (such as xinetd)
+MaxInstances			30
+
+# Set the user and group that the server normally runs at.
+User				<%= @deploy_user %>
+Group				nogroup
+
+# Umask 022 is a good standard umask to prevent new files and dirs
+# (second parm) from being group and world writable.
+Umask				022  022
+# Normally, we want files to be overwriteable.
+AllowOverwrite			on
+
+# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
+# PersistentPasswd		off
+
+# This is required to use both PAM-based authentication and local passwords
+# AuthOrder			mod_auth_pam.c* mod_auth_unix.c
+
+# Be warned: use of this directive impacts CPU average load!
+# Uncomment this if you like to see progress and transfer rate with ftpwho
+# in downloads. That is not needed for uploads rates.
+#
+# UseSendFile			off
+
+TransferLog /var/log/proftpd/xferlog
+SystemLog   /var/log/proftpd/proftpd.log
+
+# Logging onto /var/log/lastlog is enabled but set to off by default
+#UseLastlog on
+
+# In order to keep log file dates consistent after chroot, use timezone info
+# from /etc/localtime.  If this is not set, and proftpd is configured to
+# chroot (e.g. DefaultRoot or <!--<-->Anonymous<!-->-->), it will use the non-daylight
+  # savings timezone regardless of whether DST is in effect.
+  #SetEnv TZ :/etc/localtime
+
+  <IfModule mod_quotatab.c>
+    QuotaEngine off
+  </IfModule>
+
+  <IfModule mod_ratio.c>
+    Ratios off
+  </IfModule>
+
+
+  # Delay engine reduces impact of the so-called Timing Attack described in
+  # http://www.securityfocus.com/bid/11430/discuss
+  # It is on by default.
+  <IfModule mod_delay.c>
+    DelayEngine on
+  </IfModule>
+
+  <IfModule mod_ctrls.c>
+    ControlsEngine        off
+    ControlsMaxClients    2
+    ControlsLog           /var/log/proftpd/controls.log
+    ControlsInterval      5
+    ControlsSocket        /var/run/proftpd/proftpd.sock
+  </IfModule>
+
+  <IfModule mod_ctrls_admin.c>
+    AdminControlsEngine off
+  </IfModule>
+
+  #
+  # Alternative authentication frameworks
+  #
+  #Include /etc/proftpd/ldap.conf
+  #Include /etc/proftpd/sql.conf
+
+  #
+  # This is used for FTPS connections
+  #
+  #Include /etc/proftpd/tls.conf
+
+  #
+  # Useful to keep VirtualHost/VirtualRoot directives separated
+  #
+  #Include /etc/proftpd/virtuals.conf
+
+  # A basic anonymous configuration, no upload directories.
+
+  <Anonymous ~<%= @anon_user %>>
+    User				<%= @anon_user %>
+    Group				nogroup
+    # We want clients to be able to login with "anonymous" as well as "ftp"
+    UserAlias			anonymous <%= @anon_user %>
+    # Cosmetic changes, all files belongs to ftp user
+    DirFakeUser	on <%= @anon_user %>
+    DirFakeGroup on <%= @anon_user %>
+
+    RequireValidShell		off
+
+    # Limit the maximum number of anonymous logins
+    MaxClients			10
+
+    # We want 'welcome.msg' displayed at login, and '.message' displayed
+    # in each newly chdired directory.
+    DisplayLogin			welcome.msg
+    DisplayChdir		.message
+
+    # Limit WRITE everywhere in the anonymous chroot
+    <Directory *>
+     <Limit WRITE>
+       DenyAll
+     </Limit>
+    </Directory>
+
+    # Uncomment this if you're brave.
+    # <Directory incoming>
+    #   # Umask 022 is a good standard umask to prevent new files and dirs
+    #   # (second parm) from being group and world writable.
+    #   Umask				022  022
+    #            <Limit READ WRITE>
+    #            DenyAll
+    #            </Limit>
+    #            <Limit STOR>
+    #            AllowAll
+    #            </Limit>
+    # </Directory>
+
+  </Anonymous>
+
+  # Include other custom configuration files
+  Include /etc/proftpd/conf.d/

scenarios/examples/vulnerability_examples/proftpd_133c_backdoor_vulnerability.xml

@@ -7,11 +7,11 @@
   <!-- an example remote linux system with the ProFTPd 1.3.3c backdoor vulnerability -->
   <system>
     <system_name>file_server</system_name>
-    <base platform="linux" type="server"/>
+    <base distro="Debian 10" type="desktop" name="KDE"/>
 
     <vulnerability module_path="vulnerabilities/unix/ftp/proftpd_133c_backdoor"/>
 
     <network type="private_network" range="dhcp"/>
   </system>
 
-</scenario>
+</scenario>

scenarios/examples/vulnerability_examples/proftpd_133c_nonroot.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+  <!-- an example remote linux system with the ProFTPd 1.3.3c backdoor vulnerability -->
+  <system>
+    <system_name>file_server</system_name>
+    <base distro="Debian 10" type="desktop" name="KDE"/>
+
+    <vulnerability module_path="vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot"/>
+
+    <network type="private_network" range="dhcp"/>
+  </system>
+
+</scenario>