Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Improvements and documentation for wing_ftp_admin_exec #11077
Improved the check method and added documentation. Also added a separate PowerShell target (see issue #10980) for in-memory execution.
If authentication is required for the exploit, we might as well go all the way, and do both the check and exploit using one authentication. Specific details about the installed Wing FTP Server version can only be obtained after authentication, so this makes it clear about what version of the vulnerable app we are exploiting.
As of 12/10/2018, The module has been further improved to get hard evidence about the existence of the vulnerability.
All versions of Wing FTP Server from 3.0.0 and up are vulnerable.
Upgraded module has been tested on a Windows Server 2016 Datacenter x64 with the following versions:
Original module has been tested on Windows 7 SP1 and Windows 8.1 with the following versions:
I have tested this module on:
In either powershell or command stager mode, the exploit doesn't seem to work. It does say the target is vulnerable though. Here's an example:
By the way, I notice that the powershell path check is quite strict like this:
However, my Windows 10 box's Windows directory name is actually
Please let me know what info you need so you can reproduce the problem. If possible, maybe provide a vulnerable application for testing just to be sure? Thank you!
@wchen-r7 , I have attempted to make the PowerShell check less stringent based on your suggestions in commit 6d07979. I'm not sure that this is the cause of the failure, but before the latest commit I had
Ok, works for me. Thank you for your patience and the apps @Psi0NYX. I'll land it now.