adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d2e2dcf85eebf64fc1ac4d889ea773f3b2b1bacb
metasploit-gs/documentation/modules/exploit/windows/ftp/wing_ftp_admin_exec.md
T
Imran E. Dawoodjee 6d0797986b PowerShell check less strict, updated docs.
2019-02-10 14:26:13 +08:00

2.1 KiB
Raw Blame History

Description

This module exploits the embedded Lua interpreter in the admin web interface for versions 3.0.0 and above of Wing FTP Server. When supplying a specially crafted HTTP POST request an attacker can use os.execute() to execute arbitrary system commands on the target with SYSTEM privileges.

Only versions of Wing FTP Server after 3.0.0 ship with the Lua interpreter and the admin web interface. This makes versions < 3.0.0 presumably NOT vulnerable to this exploit, simply due to the fact that they do not have the capability execute commands this way.

Versions > 4.3.8 handle URL encoding differently compared to versions <= 4.3.8. Encoding the PowerShell payload with base64 allows it to work. CmdStager fails, however, as it cannot simply be base64 encoded like PowerShell. It is recommended to run check first before exploiting to get a feel for the vulnerable app. The module has a built-in check to detect PowerShell first before continuing with the exploit. It does so by calling os.getenv() to get environment variables, then searching for PowerShell case-insensitively. It will fall back to using CmdStager if PowerShell is absent and the version is <= 4.3.8.

The full changelog for Wing FTP Server can be found at [https://www.wftpserver.com/serverhistory.htm].

Information about the admin web interface can be found at [https://www.wftpserver.com/help/ftpserver/index.html?administrator_console.htm].

Vulnerable Application

All versions of Wing FTP Server from 3.0.0 and up are presumed vulnerable.

Upgraded module has been tested on a Windows Server 2019 Datacenter x64 with the following versions:

  • Wing FTP Server 4.3.8
  • Wing FTP Server 5.1.3
  • Wing FTP Server 6.0.1
  • Wing FTP Server 6.0.2
  • Wing FTP Server 6.0.3

Original module was been tested on Windows 7 SP1 and Windows 8.1 with the following versions:

  • Wing FTP Server 4.3.6
  • Wing FTP Server 4.3.8

Verification Steps

  • Start msfconsole
  • use exploit/windows/ftp/wing_ftp_admin_exec
  • set RHOST <target-ip>
  • set USERNAME <valid-username>
  • set PASSWORD <valid-password>
  • exploit
  • Verify that you get a shell
Reference in New Issue View Git Blame Copy Permalink