documentation/modules/exploit/windows/ftp/wing_ftp_admin_exec.md

## Description

This module exploits the embedded Lua interpreter in the admin web interface for versions 3.0.0 and above of Wing FTP Server. When supplying a specially crafted HTTP POST request an attacker can use os.execute() to execute arbitrary system commands on the target with SYSTEM privileges.

Only versions of Wing FTP Server after 3.0.0 ship with the Lua interpreter and the admin web interface. This makes versions < 3.0.0 presumably NOT vulnerable to this exploit, simply due to the fact that they do not have the capability execute commands this way.

Versions > 4.3.8 handle URL encoding differently compared to versions <= 4.3.8. Encoding the PowerShell payload with base64 allows it to work. CmdStager fails, however, as it cannot simply be base64 encoded like PowerShell. It is recommended to run `check` first before exploiting to get a feel for the vulnerable app. The module has a built-in check to detect `PowerShell` first before continuing with the exploit. It does so by calling `os.getenv()` to get environment variables, then searching for `PowerShell` case-insensitively. It will fall back to using `CmdStager` if `PowerShell` is absent and the version is <= 4.3.8.

The full changelog for Wing FTP Server can be found at [https://www.wftpserver.com/serverhistory.htm].

Information about the admin web interface can be found at [https://www.wftpserver.com/help/ftpserver/index.html?administrator_console.htm].

## Vulnerable Application

All versions of Wing FTP Server from 3.0.0 and up are presumed vulnerable.

Upgraded module has been tested on a Windows Server 2019 Datacenter x64 with the following versions:

- Wing FTP Server 4.3.8
- Wing FTP Server 5.1.3
- Wing FTP Server 6.0.1
- Wing FTP Server 6.0.2
- Wing FTP Server 6.0.3

Original module was been tested on Windows 7 SP1 and Windows 8.1 with the following versions:

- Wing FTP Server 4.3.6
- Wing FTP Server 4.3.8

## Verification Steps

- [x] Start `msfconsole`
- [x] `use exploit/windows/ftp/wing_ftp_admin_exec`
- [x] `set RHOST <target-ip>`
- [x] `set USERNAME <valid-username>`
- [x] `set PASSWORD <valid-password>`
- [x] `exploit`
- [x] **Verify** that you get a shell
remove tailing double pounds 2020-01-16 11:57:52 -05:00			`## Description`
Improved module and added documentation. 2018-12-07 03:02:37 +08:00
Improved version check, made requests more organic, 2018-12-08 19:48:26 +08:00			`This module exploits the embedded Lua interpreter in the admin web interface for versions 3.0.0 and above of Wing FTP Server. When supplying a specially crafted HTTP POST request an attacker can use os.execute() to execute arbitrary system commands on the target with SYSTEM privileges.`
Improved module and added documentation. 2018-12-07 03:02:37 +08:00
Cleaned up module per @bcoles's recommendations. 2018-12-11 02:56:56 +08:00			`Only versions of Wing FTP Server after 3.0.0 ship with the Lua interpreter and the admin web interface. This makes versions < 3.0.0 presumably NOT vulnerable to this exploit, simply due to the fact that they do not have the capability execute commands this way.`
Improved module and added documentation. 2018-12-07 03:02:37 +08:00
PowerShell check less strict, updated docs. 2019-02-10 14:26:13 +08:00			Versions > 4.3.8 handle URL encoding differently compared to versions <= 4.3.8. Encoding the PowerShell payload with base64 allows it to work. CmdStager fails, however, as it cannot simply be base64 encoded like PowerShell. It is recommended to run `check` first before exploiting to get a feel for the vulnerable app. The module has a built-in check to detect `PowerShell` first before continuing with the exploit. It does so by calling `os.getenv()` to get environment variables, then searching for `PowerShell` case-insensitively. It will fall back to using `CmdStager` if `PowerShell` is absent and the version is <= 4.3.8.
Removed offending code, added warning for users, 2018-12-10 01:57:44 +08:00
Added links to functionality and cleaned up `check` 2018-12-08 03:17:52 +08:00			`The full changelog for Wing FTP Server can be found at [https://www.wftpserver.com/serverhistory.htm].`
Improved module and added documentation. 2018-12-07 03:02:37 +08:00
Added links to functionality and cleaned up `check` 2018-12-08 03:17:52 +08:00			`Information about the admin web interface can be found at [https://www.wftpserver.com/help/ftpserver/index.html?administrator_console.htm].`
Improved module and added documentation. 2018-12-07 03:02:37 +08:00
remove tailing double pounds 2020-01-16 11:57:52 -05:00			`## Vulnerable Application`
Added links to functionality and cleaned up `check` 2018-12-08 03:17:52 +08:00
Cleaned up module per @bcoles's recommendations. 2018-12-11 02:56:56 +08:00			`All versions of Wing FTP Server from 3.0.0 and up are presumed vulnerable.`
Added links to functionality and cleaned up `check` 2018-12-08 03:17:52 +08:00
PowerShell check less strict, updated docs. 2019-02-10 14:26:13 +08:00			`Upgraded module has been tested on a Windows Server 2019 Datacenter x64 with the following versions:`
Removed offending code, added warning for users, 2018-12-10 01:57:44 +08:00
Greatly improved check and tidied up documentation. 2018-12-10 21:02:51 +08:00			`- Wing FTP Server 4.3.8`
PowerShell check less strict, updated docs. 2019-02-10 14:26:13 +08:00			`- Wing FTP Server 5.1.3`
			`- Wing FTP Server 6.0.1`
Greatly improved check and tidied up documentation. 2018-12-10 21:02:51 +08:00			`- Wing FTP Server 6.0.2`
PowerShell check less strict, updated docs. 2019-02-10 14:26:13 +08:00			`- Wing FTP Server 6.0.3`
Removed offending code, added warning for users, 2018-12-10 01:57:44 +08:00
PowerShell check less strict, updated docs. 2019-02-10 14:26:13 +08:00			`Original module was been tested on Windows 7 SP1 and Windows 8.1 with the following versions:`
Improved module and added documentation. 2018-12-07 03:02:37 +08:00
Greatly improved check and tidied up documentation. 2018-12-10 21:02:51 +08:00			`- Wing FTP Server 4.3.6`
			`- Wing FTP Server 4.3.8`
Removed offending code, added warning for users, 2018-12-10 01:57:44 +08:00
remove tailing double pounds 2020-01-16 11:57:52 -05:00			`## Verification Steps`
Improved module and added documentation. 2018-12-07 03:02:37 +08:00
Greatly improved check and tidied up documentation. 2018-12-10 21:02:51 +08:00			- [x] Start `msfconsole`
			- [x] `use exploit/windows/ftp/wing_ftp_admin_exec`
			- [x] `set RHOST <target-ip>`
			- [x] `set USERNAME <valid-username>`
			- [x] `set PASSWORD <valid-password>`
			- [x] `exploit`
			`- [x] Verify that you get a shell`