Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Land #11077, Improvements and documentation for wing_ftp_admin_exec
- Loading branch information
1 parent
472326a
commit 83424ea
Showing
2 changed files
with
154 additions
and
41 deletions.
There are no files selected for viewing
38 changes: 38 additions & 0 deletions
38
documentation/modules/exploit/windows/ftp/wing_ftp_admin_exec.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
## Description ## | ||
|
||
This module exploits the embedded Lua interpreter in the admin web interface for versions 3.0.0 and above of Wing FTP Server. When supplying a specially crafted HTTP POST request an attacker can use os.execute() to execute arbitrary system commands on the target with SYSTEM privileges. | ||
|
||
Only versions of Wing FTP Server after 3.0.0 ship with the Lua interpreter and the admin web interface. This makes versions < 3.0.0 presumably NOT vulnerable to this exploit, simply due to the fact that they do not have the capability execute commands this way. | ||
|
||
Versions > 4.3.8 handle URL encoding differently compared to versions <= 4.3.8. Encoding the PowerShell payload with base64 allows it to work. CmdStager fails, however, as it cannot simply be base64 encoded like PowerShell. It is recommended to run `check` first before exploiting to get a feel for the vulnerable app. The module has a built-in check to detect `PowerShell` first before continuing with the exploit. It does so by calling `os.getenv()` to get environment variables, then searching for `PowerShell` case-insensitively. It will fall back to using `CmdStager` if `PowerShell` is absent and the version is <= 4.3.8. | ||
|
||
The full changelog for Wing FTP Server can be found at [https://www.wftpserver.com/serverhistory.htm]. | ||
|
||
Information about the admin web interface can be found at [https://www.wftpserver.com/help/ftpserver/index.html?administrator_console.htm]. | ||
|
||
## Vulnerable Application ## | ||
|
||
All versions of Wing FTP Server from 3.0.0 and up are presumed vulnerable. | ||
|
||
Upgraded module has been tested on a Windows Server 2019 Datacenter x64 with the following versions: | ||
|
||
- Wing FTP Server 4.3.8 | ||
- Wing FTP Server 5.1.3 | ||
- Wing FTP Server 6.0.1 | ||
- Wing FTP Server 6.0.2 | ||
- Wing FTP Server 6.0.3 | ||
|
||
Original module was been tested on Windows 7 SP1 and Windows 8.1 with the following versions: | ||
|
||
- Wing FTP Server 4.3.6 | ||
- Wing FTP Server 4.3.8 | ||
|
||
## Verification Steps ## | ||
|
||
- [x] Start `msfconsole` | ||
- [x] `use exploit/windows/ftp/wing_ftp_admin_exec` | ||
- [x] `set RHOST <target-ip>` | ||
- [x] `set USERNAME <valid-username>` | ||
- [x] `set PASSWORD <valid-password>` | ||
- [x] `exploit` | ||
- [x] **Verify** that you get a shell |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters