diff --git a/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/manifests/config.pp b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/manifests/config.pp
index 2790f0664..d309b7540 100644
--- a/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/manifests/config.pp
+++ b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/manifests/config.pp
@@ -3,13 +3,29 @@ class proftpd_133c_backdoor::config {
$raw_org = $secgen_parameters['organisation']
$leaked_filenames = $secgen_parameters['leaked_filenames']
$strings_to_leak = $secgen_parameters['strings_to_leak']
+ $strings_to_pre_leak = $secgen_parameters['strings_to_pre_leak']
+ $pre_leaked_filenames = $secgen_parameters['pre_leaked_filenames']
if $raw_org and $raw_org[0] and $raw_org[0] != '' {
$organisation = parsejson($raw_org[0])
} else {
$organisation = ''
}
- file { '/etc/proftpd/proftpd.conf':
+
+ $anon_user = 'ftp' #$secgen_parameters['leaked_username'][0]
+ $anon_user_home = "/home/$anon_user"
+
+ Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] }
+
+ # Create user
+ user { $anon_user:
+ ensure => present,
+ home => "$anon_user_home",
+ managehome => true,
+ } ->
+
+
+ file { '/etc/proftpd/proftpd.conf':
ensure => present,
owner => 'root',
group => 'root',
@@ -24,4 +40,11 @@ class proftpd_133c_backdoor::config {
leaked_from => "proftpd_133c_backdoor",
mode => '0600'
}
+ ::secgen_functions::leak_files { 'proftpd_133c_backdoor-file-pre-leak':
+ storage_directory => $anon_user_home,
+ leaked_filenames => $pre_leaked_filenames,
+ strings_to_leak => $strings_to_pre_leak,
+ leaked_from => "proftpd_133c_backdoor-pre",
+ mode => '0600'
+ }
}
diff --git a/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/secgen_metadata.xml b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/secgen_metadata.xml
index 7f642e064..020a8de1e 100644
--- a/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/secgen_metadata.xml
+++ b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/secgen_metadata.xml
@@ -22,6 +22,8 @@
leaked_filenames
welcome_msg
port
+ strings_to_pre_leak
+ pre_leaked_filenames
organisation
@@ -41,11 +43,20 @@
-
+
+
+
+
+
+
+ note
+
+
+
10
diff --git a/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/templates/proftpd.erb b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/templates/proftpd.erb
index 5e5896138..a6199430d 100644
--- a/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/templates/proftpd.erb
+++ b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/templates/proftpd.erb
@@ -156,46 +156,46 @@ SystemLog /var/log/proftpd/proftpd.log
# A basic anonymous configuration, no upload directories.
- #
- # User ftp
- # Group nogroup
- # # We want clients to be able to login with "anonymous" as well as "ftp"
- # UserAlias anonymous ftp
- # # Cosmetic changes, all files belongs to ftp user
- # DirFakeUser on ftp
- # DirFakeGroup on ftp
- #
- # RequireValidShell off
- #
- # # Limit the maximum number of anonymous logins
- # MaxClients 10
- #
- # # We want 'welcome.msg' displayed at login, and '.message' displayed
- # # in each newly chdired directory.
- # DisplayLogin welcome.msg
- # DisplayChdir .message
- #
- # # Limit WRITE everywhere in the anonymous chroot
- #
- #
- # DenyAll
- #
- #
- #
- # # Uncomment this if you're brave.
- # #
- # # # Umask 022 is a good standard umask to prevent new files and dirs
- # # # (second parm) from being group and world writable.
- # # Umask 022 022
- # #
- # # DenyAll
- # #
- # #
- # # AllowAll
- # #
- # #
- #
- #
+ >
+ User <%= @anon_user %>
+ Group nogroup
+ # We want clients to be able to login with "anonymous" as well as "ftp"
+ UserAlias anonymous <%= @anon_user %>
+ # Cosmetic changes, all files belongs to ftp user
+ DirFakeUser on <%= @anon_user %>
+ DirFakeGroup on <%= @anon_user %>
+
+ RequireValidShell off
+
+ # Limit the maximum number of anonymous logins
+ MaxClients 10
+
+ # We want 'welcome.msg' displayed at login, and '.message' displayed
+ # in each newly chdired directory.
+ DisplayLogin welcome.msg
+ DisplayChdir .message
+
+ # Limit WRITE everywhere in the anonymous chroot
+
+
+ DenyAll
+
+
+
+ # Uncomment this if you're brave.
+ #
+ # # Umask 022 is a good standard umask to prevent new files and dirs
+ # # (second parm) from being group and world writable.
+ # Umask 022 022
+ #
+ # DenyAll
+ #
+ #
+ # AllowAll
+ #
+ #
+
+
# Include other custom configuration files
Include /etc/proftpd/conf.d/
diff --git a/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/files/proftpd-1.3.3c.tar.gz b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/files/proftpd-1.3.3c.tar.gz
new file mode 100644
index 000000000..78437717e
Binary files /dev/null and b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/files/proftpd-1.3.3c.tar.gz differ
diff --git a/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/files/proftpd.init.d b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/files/proftpd.init.d
new file mode 100644
index 000000000..43a96f92a
--- /dev/null
+++ b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/files/proftpd.init.d
@@ -0,0 +1,223 @@
+#!/bin/sh
+
+### BEGIN INIT INFO
+# Provides: proftpd
+# Required-Start: $remote_fs $syslog $local_fs $network
+# Required-Stop: $remote_fs $syslog $local_fs $network
+# Should-Start: $named
+# Should-Stop: $named
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Starts ProFTPD daemon
+# Description: This script runs the FTP service offered
+# by the ProFTPD daemon
+### END INIT INFO
+
+# Start the proftpd FTP daemon.
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+DAEMON=/usr/local/sbin/proftpd
+NAME=proftpd
+
+# Defaults
+RUN="no"
+OPTIONS=""
+CONFIG_FILE=/etc/proftpd/proftpd.conf
+
+PIDFILE=`grep -i 'pidfile' $CONFIG_FILE|sed -e 's/pidfile[\t ]\+//i'`
+if [ "x$PIDFILE" = "x" ];
+then
+ PIDFILE=/var/run/proftpd.pid
+fi
+
+# Read config (will override defaults)
+[ -r /etc/default/proftpd ] && . /etc/default/proftpd
+
+trap "" 1
+trap "" 15
+
+test -f $DAEMON || exit 0
+
+. /lib/lsb/init-functions
+
+#
+# Servertype could be inetd|standalone|none.
+# In all cases check against inetd and xinetd support.
+#
+if ! egrep -qi "^[[:space:]]*ServerType.*standalone" $CONFIG_FILE
+then
+ if egrep -qi "server[[:space:]]*=[[:space:]]*/usr/sbin/proftpd" /etc/xinetd.conf 2>/dev/null || \
+ egrep -qi "server[[:space:]]*=[[:space:]]*/usr/sbin/proftpd" /etc/xinetd.d/* 2>/dev/null || \
+ egrep -qi "^ftp.*/usr/sbin/proftpd" /etc/inetd.conf 2>/dev/null
+ then
+ RUN="no"
+ INETD="yes"
+ else
+ if ! egrep -qi "^[[:space:]]*ServerType.*inetd" $CONFIG_FILE
+ then
+ RUN="yes"
+ INETD="no"
+ else
+ RUN="no"
+ INETD="no"
+ fi
+ fi
+fi
+
+# /var/run could be on a tmpfs
+
+[ ! -d /var/run/proftpd ] && mkdir /var/run/proftpd
+
+inetd_check()
+{
+ if [ ! -x /usr/sbin/inetd -a ! -x /usr/sbin/xinetd ]; then
+ echo "Neither inetd nor xinetd appears installed: check your configuration."
+ fi
+}
+
+start()
+{
+ log_daemon_msg "Starting ftp server" "$NAME"
+
+ start-stop-daemon --start --quiet --pidfile "$PIDFILE" --oknodo --exec $DAEMON -- -c $CONFIG_FILE $OPTIONS
+ if [ $? != 0 ]; then
+ log_end_msg 1
+ exit 1
+ else
+ log_end_msg 0
+ fi
+}
+
+signal()
+{
+
+ if [ "$1" = "stop" ]; then
+ SIGNAL="TERM"
+ log_daemon_msg "Stopping ftp server" "$NAME"
+ else
+ if [ "$1" = "reload" ]; then
+ SIGNAL="HUP"
+ log_daemon_msg "Reloading ftp server" "$NAME"
+ else
+ echo "ERR: wrong parameter given to signal()"
+ exit 1
+ fi
+ fi
+ if [ -f "$PIDFILE" ]; then
+ start-stop-daemon --stop --signal $SIGNAL --quiet --pidfile "$PIDFILE"
+ if [ $? = 0 ]; then
+ log_end_msg 0
+ else
+ SIGNAL="KILL"
+ start-stop-daemon --stop --signal $SIGNAL --quiet --pidfile "$PIDFILE"
+ if [ $? != 0 ]; then
+ log_end_msg 1
+ [ $2 != 0 ] || exit 0
+ else
+ log_end_msg 0
+ fi
+ fi
+ if [ "$SIGNAL" = "KILL" ]; then
+ rm -f "$PIDFILE"
+ fi
+ else
+ log_end_msg 0
+ fi
+}
+
+case "$1" in
+ start)
+ if [ "x$RUN" = "xyes" ] ; then
+ start
+ else
+ start
+# if [ "x$INETD" = "xyes" ] ; then
+# echo "ProFTPD is started from inetd/xinetd."
+# inetd_check
+# else
+# echo "ProFTPD warning: cannot start neither in standalone nor in inetd/xinetd mode. Check your configuration."
+# fi
+ fi
+ ;;
+
+ force-start)
+ if [ "x$INETD" = "xyes" ] ; then
+ echo "Warning: ProFTPD is started from inetd/xinetd (trying to start anyway)."
+ inetd_check
+ fi
+ start
+ ;;
+
+ stop)
+ if [ "x$RUN" = "xyes" ] ; then
+ signal stop 0
+ else
+ if [ "x$INETD" = "xyes" ] ; then
+ echo "ProFTPD is started from inetd/xinetd."
+ inetd_check
+ else
+ echo "ProFTPD warning: cannot start neither in standalone nor in inetd/xinetd mode. Check your configuration."
+ fi
+ fi
+ ;;
+
+ force-stop)
+ if [ "x$INETD" = "xyes" ] ; then
+ echo "Warning: ProFTPD is started from inetd/xinetd (trying to kill anyway)."
+ inetd_check
+ fi
+ signal stop 0
+ ;;
+
+ reload)
+ signal reload 0
+ ;;
+
+ force-reload|restart)
+ if [ "x$RUN" = "xyes" ] ; then
+ signal stop 1
+ sleep 2
+ start
+ else
+ if [ "x$INETD" = "xyes" ] ; then
+ echo "ProFTPD is started from inetd/xinetd."
+ inetd_check
+ else
+ echo "ProFTPD warning: cannot start neither in standalone nor in inetd/xinetd mode. Check your configuration."
+ fi
+ fi
+ ;;
+
+ status)
+ if [ "x$INETD" = "xyes" ] ; then
+ echo "ProFTPD is started from inetd/xinetd."
+ inetd_check
+ exit 0
+ else
+ if [ -f "$PIDFILE" ]; then
+ pid=$(cat $PIDFILE)
+ else
+ pid="x"
+ fi
+ if [ `pidof proftpd|grep "$pid"|wc -l` -ne 0 ] ; then
+ echo "ProFTPD is started in standalone mode, currently running."
+ exit 0
+ else
+ echo "ProFTPD is started in standalone mode, currently not running."
+ exit 3
+ fi
+ fi
+ ;;
+
+ check-config)
+ $DAEMON -t >/dev/null && echo "ProFTPD configuration OK" && exit 0
+ exit 1
+ ;;
+
+ *)
+ echo "Usage: /etc/init.d/$NAME {start|status|force-start|stop|force-stop|reload|restart|force-reload|check-config}"
+ exit 1
+ ;;
+esac
+
+exit 0
diff --git a/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/manifests/config.pp b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/manifests/config.pp
new file mode 100644
index 000000000..9a731d7a3
--- /dev/null
+++ b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/manifests/config.pp
@@ -0,0 +1,59 @@
+class proftpd_133c_backdoor_nonroot::config {
+ $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+ $raw_org = $secgen_parameters['organisation']
+ $leaked_filenames = $secgen_parameters['leaked_filenames']
+ $strings_to_leak = $secgen_parameters['strings_to_leak']
+ $strings_to_pre_leak = $secgen_parameters['strings_to_pre_leak']
+ $pre_leaked_filenames = $secgen_parameters['pre_leaked_filenames']
+
+ if $raw_org and $raw_org[0] and $raw_org[0] != '' {
+ $organisation = parsejson($raw_org[0])
+ } else {
+ $organisation = ''
+ }
+
+ $anon_user = 'anon' #$secgen_parameters['leaked_username'][0]
+ $anon_user_home = "/home/$anon_user"
+ $deploy_user = 'ftp'
+ $deploy_user_home = "/home/$deploy_user"
+
+ Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] }
+
+ # Create user
+ user { $anon_user:
+ ensure => present,
+ home => "$anon_user_home",
+ managehome => true,
+ } ->
+ user { $deploy_user:
+ ensure => present,
+ home => "$deploy_user_home",
+ managehome => true,
+ } ->
+
+
+
+ file { '/etc/proftpd/proftpd.conf':
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ content => template('proftpd_133c_backdoor_nonroot/proftpd.erb')
+ }
+
+ ::secgen_functions::leak_files { 'proftpd_133c_backdoor_nonroot-file-leak':
+ storage_directory => '/root',
+ leaked_filenames => $leaked_filenames,
+ strings_to_leak => $strings_to_leak,
+ leaked_from => "proftpd_133c_backdoor_nonroot",
+ mode => '0600'
+ }
+ ::secgen_functions::leak_files { 'proftpd_133c_backdoor_nonroot-file-pre-leak':
+ storage_directory => $anon_user_home,
+ leaked_filenames => $pre_leaked_filenames,
+ strings_to_leak => $strings_to_pre_leak,
+ leaked_from => "proftpd_133c_backdoor_nonroot-pre",
+ mode => '0644',
+ owner => $anon_user
+ }
+}
diff --git a/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/manifests/install.pp b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/manifests/install.pp
new file mode 100644
index 000000000..52dd92857
--- /dev/null
+++ b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/manifests/install.pp
@@ -0,0 +1,72 @@
+class proftpd_133c_backdoor_nonroot::install {
+
+ # Install ProFTPd 1.3.3c backdoored version from source tar
+
+ file { '/usr/local/src/proftpd-1.3.3c.tar.gz':
+ owner => root,
+ group => root,
+ mode => '0775',
+ ensure => file,
+ source => 'puppet:///modules/proftpd_133c_backdoor_nonroot/proftpd-1.3.3c.tar.gz',
+ notify => Exec['unpack'],
+ }
+
+ exec { 'unpack':
+ cwd => '/usr/local/src',
+ command => 'tar -xzvf proftpd-1.3.3c.tar.gz',
+ creates => '/usr/local/src/backdoored_proftpd-1.3.3c/',
+ path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ],
+ notify => Exec['install_proftpd-1.3.3c'],
+ }
+
+ ensure_packages('build-essential')
+ ensure_packages('gcc-multilib')
+
+ exec { 'install_proftpd-1.3.3c':
+ cwd => '/usr/local/src/backdoored_proftpd-1.3.3c/',
+ command => '/usr/local/src/backdoored_proftpd-1.3.3c/configure', #--prefix=/usr/local/
+ notify => Exec['make_proftpd-1.3.3c'],
+ require => Package['build-essential', 'gcc-multilib'],
+ }
+
+ exec { 'make_proftpd-1.3.3c':
+ require => Exec['install_proftpd-1.3.3c'],
+ cwd => '/usr/local/src/backdoored_proftpd-1.3.3c/',
+ command => '/usr/bin/make',
+ notify => Exec['make_install_proftpd-1.3.3c'],
+ }
+
+ exec { 'make_install_proftpd-1.3.3c':
+ require => Exec['install_proftpd-1.3.3c'],
+ cwd => '/usr/local/src/backdoored_proftpd-1.3.3c/',
+ command => '/usr/bin/make install',
+ notify => File['/etc/init.d/proftpd'],
+ }
+
+ # ProFTPd init.d service installation
+
+ file { '/etc/init.d/proftpd':
+ require => Exec['make_install_proftpd-1.3.3c'],
+ path => '/etc/init.d/proftpd',
+ owner => root,
+ group => root,
+ mode => '0755',
+ ensure => file,
+ source => 'puppet:///modules/proftpd_133c_backdoor_nonroot/proftpd.init.d',
+ }
+
+ # Required log and config files/directories
+
+ file { ['/etc/proftpd', '/var/log/proftpd', '/var/log/proftpd/xferlog', '/etc/proftpd/conf.d/']:
+ ensure => directory,
+ }
+
+ file { [ '/etc/proftpd/modules.conf', '/var/log/proftpd/proftpd.log']:
+ ensure => file,
+ }
+
+ # Cleanup
+ exec { 'directory-cleanup':
+ command => '/bin/rm /usr/local/src/* -rf',
+ }
+}
diff --git a/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/manifests/service.pp b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/manifests/service.pp
new file mode 100644
index 000000000..89e56083a
--- /dev/null
+++ b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/manifests/service.pp
@@ -0,0 +1,7 @@
+class proftpd_133c_backdoor_nonroot::service {
+ service { 'proftpd':
+ ensure => running,
+ enable => true,
+ require => File['/etc/init.d/proftpd','/etc/proftpd/proftpd.conf'],
+ }
+}
diff --git a/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/proftpd_133c_backdoor_nonroot.pp b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/proftpd_133c_backdoor_nonroot.pp
new file mode 100644
index 000000000..0398bed9d
--- /dev/null
+++ b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/proftpd_133c_backdoor_nonroot.pp
@@ -0,0 +1,3 @@
+include proftpd_133c_backdoor_nonroot::install
+include proftpd_133c_backdoor_nonroot::config
+include proftpd_133c_backdoor_nonroot::service
diff --git a/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/secgen_metadata.xml b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/secgen_metadata.xml
new file mode 100644
index 000000000..020a8de1e
--- /dev/null
+++ b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/secgen_metadata.xml
@@ -0,0 +1,87 @@
+
+
+
+ ProFTPD v1.3.3c Backdoor Command Execution
+ Thomas Shaw
+ Jason Keighley
+ MIT
+ A backdoor was introduced into the proftpd-1.3.3c.tar.[bz2|gz] archive between November 28th and December
+ 2nd 2010.
+
+
+ ftp
+ root_rwx
+ remote
+ linux
+ low
+
+ server_name
+ strings_to_leak
+ leaked_filenames
+ welcome_msg
+ port
+ strings_to_pre_leak
+ pre_leaked_filenames
+
+
+ organisation
+
+
+ 21
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ note
+
+
+
+
+
+ 10
+ AV:N/AC:L/Au:N/C:C/I:C/A:C
+ https://www.rapid7.com/db/modules/exploit/unix/ftp/proftpd_133c_backdoor
+ proftpd
+ GPL
+
+
+
+ A backdoor in a service
+ Remotely exploitable backdoor in the FTP service
+
+
+
+ proftpd
+
+
+
+ ^ftp$
+
+
+
+
+ update
+
+
+
diff --git a/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/secgen_test/proftpd_133c_backdoor.rb b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/secgen_test/proftpd_133c_backdoor.rb
new file mode 100644
index 000000000..23564515c
--- /dev/null
+++ b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/secgen_test/proftpd_133c_backdoor.rb
@@ -0,0 +1,16 @@
+require_relative '../../../../../lib/post_provision_test'
+
+class Proftpd133cBackdoorTest < PostProvisionTest
+ def initialize
+ self.module_name = 'proftpd_133c_backdoor_nonroot'
+ self.module_path = get_module_path(__FILE__)
+ super
+ end
+
+ def test_module
+ super
+ test_service_up
+ end
+end
+
+Proftpd133cBackdoorTest.new.run
diff --git a/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/templates/proftpd.erb b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/templates/proftpd.erb
new file mode 100644
index 000000000..97e7ccae5
--- /dev/null
+++ b/modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor_nonroot/templates/proftpd.erb
@@ -0,0 +1,201 @@
+<% $port = @secgen_parameters['port'].first
+
+ if @organisation and @organisation != ''
+ $welcome_msg = "Welcome to the #{@organisation['business_name']} FTP server!"
+ $server_name = @organisation['domain']
+ else
+ $server_name = @secgen_parameters['server_name'].first
+ $welcome_msg = @secgen_parameters['welcome_msg'].first
+ end
+-%>
+#
+# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
+# To really apply changes, reload proftpd after modifications, if
+# it runs in daemon mode. It is not required in inetd/xinetd mode.
+#
+
+# Includes DSO modules
+Include /etc/proftpd/modules.conf
+
+# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
+UseIPv6 off
+# If set on you can experience a longer connection delay in many cases.
+IdentLookups off
+
+ServerName "<%=$server_name%>"
+ServerType standalone
+DeferWelcome off
+
+MultilineRFC2228 on
+DefaultServer on
+ShowSymlinks on
+
+TimeoutNoTransfer 600
+TimeoutStalled 600
+TimeoutIdle 1200
+
+DisplayLogin welcome.msg
+DisplayChdir .message true
+ListOptions "-l"
+
+DenyFilter \*.*/
+
+AccessGrantMsg "<%=$welcome_msg.gsub("\n", '\n')%>"
+
+# Use this to jail all users in their homes
+# DefaultRoot ~
+
+# Users require a valid shell listed in /etc/shells to login.
+# Use this directive to release that constrain.
+# RequireValidShell off
+
+# Port 21 is the standard FTP port.
+Port <%=$port%>
+
+# In some cases you have to specify passive ports range to by-pass
+# firewall limitations. Ephemeral ports can be used for that, but
+# feel free to use a more narrow range.
+# PassivePorts 49152 65534
+
+# If your host was NATted, this option is useful in order to
+# allow passive tranfers to work. You have to use your public
+# address and opening the passive ports used on your firewall as well.
+# MasqueradeAddress 1.2.3.4
+
+# This is useful for masquerading address with dynamic IPs:
+# refresh any configured MasqueradeAddress directives every 8 hours
+
+ # DynMasqRefresh 28800
+
+
+# To prevent DoS attacks, set the maximum number of child processes
+# to 30. If you need to allow more than 30 concurrent connections
+# at once, simply increase this value. Note that this ONLY works
+# in standalone mode, in inetd mode you should use an inetd server
+# that allows you to limit maximum number of processes per service
+# (such as xinetd)
+MaxInstances 30
+
+# Set the user and group that the server normally runs at.
+User <%= @deploy_user %>
+Group nogroup
+
+# Umask 022 is a good standard umask to prevent new files and dirs
+# (second parm) from being group and world writable.
+Umask 022 022
+# Normally, we want files to be overwriteable.
+AllowOverwrite on
+
+# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
+# PersistentPasswd off
+
+# This is required to use both PAM-based authentication and local passwords
+# AuthOrder mod_auth_pam.c* mod_auth_unix.c
+
+# Be warned: use of this directive impacts CPU average load!
+# Uncomment this if you like to see progress and transfer rate with ftpwho
+# in downloads. That is not needed for uploads rates.
+#
+# UseSendFile off
+
+TransferLog /var/log/proftpd/xferlog
+SystemLog /var/log/proftpd/proftpd.log
+
+# Logging onto /var/log/lastlog is enabled but set to off by default
+#UseLastlog on
+
+# In order to keep log file dates consistent after chroot, use timezone info
+# from /etc/localtime. If this is not set, and proftpd is configured to
+# chroot (e.g. DefaultRoot or Anonymous-->), it will use the non-daylight
+ # savings timezone regardless of whether DST is in effect.
+ #SetEnv TZ :/etc/localtime
+
+
+ QuotaEngine off
+
+
+
+ Ratios off
+
+
+
+ # Delay engine reduces impact of the so-called Timing Attack described in
+ # http://www.securityfocus.com/bid/11430/discuss
+ # It is on by default.
+
+ DelayEngine on
+
+
+
+ ControlsEngine off
+ ControlsMaxClients 2
+ ControlsLog /var/log/proftpd/controls.log
+ ControlsInterval 5
+ ControlsSocket /var/run/proftpd/proftpd.sock
+
+
+
+ AdminControlsEngine off
+
+
+ #
+ # Alternative authentication frameworks
+ #
+ #Include /etc/proftpd/ldap.conf
+ #Include /etc/proftpd/sql.conf
+
+ #
+ # This is used for FTPS connections
+ #
+ #Include /etc/proftpd/tls.conf
+
+ #
+ # Useful to keep VirtualHost/VirtualRoot directives separated
+ #
+ #Include /etc/proftpd/virtuals.conf
+
+ # A basic anonymous configuration, no upload directories.
+
+ >
+ User <%= @anon_user %>
+ Group nogroup
+ # We want clients to be able to login with "anonymous" as well as "ftp"
+ UserAlias anonymous <%= @anon_user %>
+ # Cosmetic changes, all files belongs to ftp user
+ DirFakeUser on <%= @anon_user %>
+ DirFakeGroup on <%= @anon_user %>
+
+ RequireValidShell off
+
+ # Limit the maximum number of anonymous logins
+ MaxClients 10
+
+ # We want 'welcome.msg' displayed at login, and '.message' displayed
+ # in each newly chdired directory.
+ DisplayLogin welcome.msg
+ DisplayChdir .message
+
+ # Limit WRITE everywhere in the anonymous chroot
+
+
+ DenyAll
+
+
+
+ # Uncomment this if you're brave.
+ #
+ # # Umask 022 is a good standard umask to prevent new files and dirs
+ # # (second parm) from being group and world writable.
+ # Umask 022 022
+ #
+ # DenyAll
+ #
+ #
+ # AllowAll
+ #
+ #
+
+
+
+ # Include other custom configuration files
+ Include /etc/proftpd/conf.d/
diff --git a/scenarios/examples/vulnerability_examples/proftpd_133c_backdoor_vulnerability.xml b/scenarios/examples/vulnerability_examples/proftpd_133c_backdoor_vulnerability.xml
index a14e15a06..a38335691 100644
--- a/scenarios/examples/vulnerability_examples/proftpd_133c_backdoor_vulnerability.xml
+++ b/scenarios/examples/vulnerability_examples/proftpd_133c_backdoor_vulnerability.xml
@@ -7,11 +7,11 @@
file_server
-
+
-
\ No newline at end of file
+
diff --git a/scenarios/examples/vulnerability_examples/proftpd_133c_nonroot.xml b/scenarios/examples/vulnerability_examples/proftpd_133c_nonroot.xml
new file mode 100644
index 000000000..915b34218
--- /dev/null
+++ b/scenarios/examples/vulnerability_examples/proftpd_133c_nonroot.xml
@@ -0,0 +1,17 @@
+
+
+
+
+
+
+ file_server
+
+
+
+
+
+
+
+