-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improvements and documentation for wing_ftp_admin_exec #11077
Conversation
to make it much cleaner per @bcoles's recommendations.
and improved made PowerShell work on version 6.0.2.
Jenkins test this please |
and updated documentation.
I have tested this module on:
In either powershell or command stager mode, the exploit doesn't seem to work. It does say the target is vulnerable though. Here's an example:
By the way, I notice that the powershell path check is quite strict like this: winenv_path.body.include?('C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\') However, my Windows 10 box's Windows directory name is actually winenv_path.body.match(/C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\/i) Please let me know what info you need so you can reproduce the problem. If possible, maybe provide a vulnerable application for testing just to be sure? Thank you! |
Is checking for |
@wchen-r7 , I have attempted to make the PowerShell check less stringent based on your suggestions in commit 6d07979. I'm not sure that this is the cause of the failure, but before the latest commit I had |
Hey @Psi0NYX Thank you! I'll share a link with you on Google Drive you can upload your vuln apps there. |
@Psi0NYX I've shared a link with you to imrandawoodjee.infosec@gmail.com. |
EDB has (most likely) 4.3.8 installer: https://www.exploit-db.com/exploits/34517 |
Ok, works for me. Thank you for your patience and the apps @Psi0NYX. I'll land it now.
|
@h00die Nice find. Thank you. |
Release NotesThis adds new module documentation for the wing_ftp_admin_exec exploit module, as well as an improved check and support for Powershell. |
Notes
Improved the check method and added documentation. Also added a separate PowerShell target (see issue #10980) for in-memory execution.
If authentication is required for the exploit, we might as well go all the way, and do both the check and exploit using one authentication. Specific details about the installed Wing FTP Server version can only be obtained after authentication, so this makes it clear about what version of the vulnerable app we are exploiting.
As of 12/10/2018, The module has been further improved to get hard evidence about the existence of the vulnerability.
Vulnerable application
All versions of Wing FTP Server from 3.0.0 and up are vulnerable.
Upgraded module has been tested on a Windows Server 2016 Datacenter x64 with the following versions:
Original module has been tested on Windows 7 SP1 and Windows 8.1 with the following versions:
Verification Steps
msfconsole
use exploit/windows/ftp/wing_ftp_admin_exec
set RHOST <target-ip>
set USERNAME <valid-username>
set PASSWORD <valid-password>
exploit
TODO
Gem::Version
6.0.2