Since it seems to be hard to find now, this is the non-paid version of CrushFTP10 that the exploit was developed against (10.5.0 b2). The 'CrushFTP10.zip' file contains the standard 10.4.0 unpaid version on the site for download. The 'CrushFTP-v10_5_0.zip' file is the update that would have typically been pushed via the runtime update service.
This software is the non-paid shareware version of the specific vulnerable version of CrushFTP this exploit was written for. I did not write this software, nor do I hold any degree of ownership over the source code. This version should exclusively be used for the purpose of detecting this exploit - it should not be used in any real business capacity.
To install and run:
- Unzip 'CrushFTP10.zip', then drop the 'CrushFTP-v10_5_0.zip' contents into the install folder and overwrite the changed files.
- Configure 'CRUSH_DIR' in 'crushftp_init.sh' to point to the correct install directory.
- Execute
java -jar CrushFTP.jar
to show a local client GUI interface where you can set up an admin account. - Execute
sudo crushftp_init.sh start
to launch the software.
Let me know if any files are missing and I can include them from my local exploit development environment.
Cheers!