Authentication Bypass in CrushFTP AWS4-HMAC HTTP Authorization

Repository contains a single Python exploit script for CVE-2025-31161 targeting CrushFTP’s WebInterface. Structure: LICENSE, README.md (usage/docs), and cve-2025-31161.py (main code). Core capabilities in cve-2025-31161.py: - Network-based interaction over HTTP using the requests library. - Host liveness check: GET http://<ip>:<port> with 5s timeout. - User enumeration: GET /WebInterface/function/?command=getUserList&serverGroup=MainUsers&c2f=wIwV, then parses XML-like response for <user_list_subitem> entries. - Malicious/persistent admin user creation: POST /WebInterface/function/ with command=setUserItem and crafted XML fields (user XML, vfs_items, permissions). The permissions payload grants wide filesystem rights on “/” including (admin), and sets root_dir to “/”. Notable implementation details / observables: - Hardcoded headers include Cookie values (CrushAuth/currentAuth) and an Authorization header string resembling AWS4-HMAC-SHA256 with Credential=crushadmin/; these are used to access the WebInterface function endpoints. - Uses fixed c2f tokens in requests (wIwV for listing, 31If for creation) and sleeps 3 seconds before sending each action. Overall purpose: provide an operational PoC-style tool to exploit a vulnerable CrushFTP WebInterface to list existing accounts and create a new high-privilege user for administrative access/persistence.

Repository contains a single Python proof-of-concept exploit script (CVE-2025-31161.py) and a README. The script targets a CrushFTP web interface endpoint at /WebInterface/function/ over HTTP (default port 8080). It performs a preliminary GET 'warm-up' request, then sends a crafted POST request with parameters invoking the administrative command 'setUserItem' against serverGroup 'MainUsers'. The POST body includes an XML 'user' object that defines a new username/password, sets root_dir to '/', and assigns broad site/VFS permissions, effectively creating a new privileged account. The exploit relies on an auth-bypass pattern using hardcoded cookie/token values (currentAuth/c2f) and an Authorization header that references an existing username (default 'crushadmin'); the README notes the attacker must know a valid existing username. Success is determined by HTTP 200 and the presence of '<response_status>OK</response_status>' in the response.

Repository contains a small Go-based exploit for CVE-2025-31161 targeting CrushFTP (explicitly referenced as 10.x/11.x). Structure: - README.md: brief description and example invocation. - main.go: full exploit implementation. Core behavior: 1) Auth bypass (exploitAuthBypass): Sends a GET to the CrushFTP WebInterface function endpoint with command=getUserList&serverGroup=MainUsers&c2f=1111. It sets a deliberately malformed AWS4-HMAC-SHA256 Authorization header (hardcoded to "Credential=crushadmin/") and a forged CrushAuth cookie. If the server responds 200 OK, it attempts to extract a session cookie (CrushAuth/session) from Set-Cookie; otherwise it falls back to the hardcoded fake cookie. 2) Post-exploitation (createNewAdmin): Uses the obtained/forged session cookie to POST to /WebInterface/function/ with command=setUserItem and data_action=replace to create/replace a user in serverGroup=MainUsers. It crafts an XML "user" object containing the new username/password, sets root_dir to '/', and attempts to grant broad VFS permissions including (admin) on '/'. It derives the c2f parameter from the last 4 characters of the CrushAuth cookie value (fallback "1111"). Notable implementation details: - Network-only exploit; no local components. - TLS verification is disabled (InsecureSkipVerify=true), enabling use against HTTPS targets with invalid/self-signed certs. - The function buildMalformedAuthHeader exists but is not used; the exploit uses a simpler hardcoded Authorization header string. Overall purpose: achieve unauthorized administrative access by bypassing authentication and then establishing persistence by creating a new admin user via the WebInterface function API.

Repository purpose: a Python proof-of-concept exploit for CVE-2025-31161 (CrushFTP auth bypass via AWS4-HMAC header parsing logic error). Structure: - Readme.md: describes the vulnerability, affected versions (<10.8.4 and <11.3.1), and two modes (check/exploit). - exploit.py: main PoC implementing both modes using the requests library. - requirements.txt: requests>=2.31.0. - License: MIT. Exploit flow/capabilities: 1) Check mode (non-destructive validation): - Sends a baseline GET to /WebInterface/. - Sends a GET to /WebInterface/function/ with a mangled Authorization header: "AWS4-HMAC-SHA256 Credential=crushadmin/". - Declares vulnerable if it can read a "CrushAuth" cookie from the response, or if the server indicates a crash (502 Bad Gateway) / connection reset. 2) Exploit mode (action/persistence): - Uses a crafted Authorization header "Credential=<admin_user>/" plus seeded cookies (currentAuth and CrushAuth) and POSTs to /WebInterface/function/. - Calls command=setUserItem with serverGroup=MainUsers and supplies an XML user object containing the attacker-chosen username/password. - Success condition is the presence of "OK" in the response body; otherwise it notes that a 502 may still mean the account was created before the backend crashed. Notable implementation details: - Network-only attack over HTTP; no TLS support is implemented (hardcoded http://). - Default admin impersonation target is "crushadmin". - The script’s port default in code is 80 (README examples use 8080).

This repository contains a Python proof-of-concept exploit for CVE-2025-31161, a critical authentication bypass and remote code execution vulnerability in CrushFTP (versions 10.0.0-10.8.3 and 11.0.0-11.3.0). The exploit script (CVE-2025-31161.py) automates the process of creating a new administrative user, enabling a plugin (CrushCommandPlugin), restarting the HTTP service, and attempting to execute arbitrary commands on the target server via HTTP POST requests to the /WebInterface/function/ endpoint. The script uses hardcoded authentication cookies and AWS-style authorization headers to impersonate an admin user. Several internal endpoints (including localhost XML configuration files) are referenced for plugin setup. The README provides context on the vulnerability and notes that while the exploit achieves user creation and plugin enabling, full RCE may not be possible on all targets due to plugin data limitations. The repository is structured with a single exploit script and a README, and is not part of any exploit framework.

This repository contains a working exploit for CVE-2025-31161, a critical authentication bypass vulnerability in CrushFTP versions 10.0.0–10.8.3 and 11.0.0–11.3.0. The exploit is implemented in a single Python script (CVE-2025-31161.py) and is accompanied by a detailed README.md explaining the vulnerability, affected versions, exploitation impact, and mitigation steps. The exploit script allows an attacker to create a new user account on a vulnerable CrushFTP server by sending a specially crafted HTTP POST request to the /WebInterface/function/ endpoint. The request uses a malformed Authorization header to bypass authentication checks, exploiting a logic flaw in the AWS4-HMAC-SHA256 authentication mechanism. The attacker can specify the target host, port, username, and password for the new account via command-line arguments. No authentication is required to run the exploit, and it targets internet-facing CrushFTP servers. The exploit is operational and provides a reliable method for gaining unauthorized access by creating a backdoor account. The README.md provides context, usage instructions, and mitigation advice. No hardcoded IPs or domains are present; the script requires the attacker to supply the target host.

This repository contains a Python exploit script targeting CVE-2025-31161 in CrushFTP. The main file, 'cve-2025-31161.py', provides two primary capabilities: enumerating valid users on a vulnerable CrushFTP server and creating a new malicious user with elevated (admin) permissions. The script interacts with the CrushFTP WebInterface via HTTP requests, using hardcoded or user-supplied credentials and parameters. It requires the target to be accessible over the network and running a vulnerable version of CrushFTP. The exploit is operational, providing a working attack that can be used to gain unauthorized access to the target system. The repository is structured simply, with a single Python script, a README describing usage and features, and a license file. No detection-only scripts or fake payloads are present.

This repository provides a comprehensive exploit toolkit for CVE-2025-31161, an authentication bypass vulnerability in the CrushFTP web interface. The toolkit includes two main exploit scripts: one in Go (cve-2025-31161.go) and one in Bash (cve-2025-31161.sh). Both scripts allow an attacker to check if a target is vulnerable, enumerate existing users, and create a new administrative user account without authentication. The exploit works by sending crafted HTTP requests to the /webinterface/function/ endpoint, leveraging specific cookies and headers to bypass authentication controls. The Go and Bash scripts are functionally equivalent, supporting user enumeration (-lu) and user creation (-au) modes, with interactive prompts for credentials. The README.md provides detailed usage instructions, flag descriptions, and educational context. The exploit is operational and can be used for penetration testing, CTFs, or security research. No hardcoded payloads are present; the attacker provides the new username and password interactively. The main attack vector is network-based, targeting the CrushFTP web interface over HTTP. No external endpoints or IPs are hardcoded; the scripts are designed to be run against user-specified targets.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-31161, a critical authentication bypass vulnerability in CrushFTP. The main exploit is implemented in a Bash script (CVE-2025-31161.sh), which forges a valid-looking CrushAuth token and sends crafted HTTP requests to the /WebInterface/function/ endpoint of a target CrushFTP server. By doing so, it creates a new admin user with attacker-specified credentials, fully bypassing authentication. The script is command-line driven, requiring the attacker to specify the target URL, port, an existing (or even invalid) username, and the desired new user credentials. The repository also includes a README.md with detailed usage instructions, a LICENSE file, and a requirements.txt listing the necessary system tools (curl and shuf). The exploit is network-based and does not require prior authentication, making it highly impactful if the target is vulnerable and accessible.

This repository contains a Python exploit script (cve_2025_31161_auth_bypass.py) and a README.md file. The exploit targets CVE-2025-31161, an authentication bypass vulnerability in CrushFTP. The script forges specific HTTP headers and cookies (CrushAuth, currentAuth, and AWS4-HMAC-SHA256 Authorization) to bypass authentication and access the getUserList API endpoint. If successful, it retrieves the list of usernames from the server, which can be displayed or saved as an XML file. The script supports optional proxying and clean output of usernames. The README provides usage instructions, options, and example commands. The exploit is a proof-of-concept and does not provide post-exploitation capabilities beyond information disclosure (usernames). No hardcoded endpoints are present; the target URL is supplied by the user at runtime.

This repository contains a Python exploit script (CVE-2025-31161.py) targeting an authentication bypass vulnerability (CVE-2025-31161) in CrushFTP versions prior to 10.8.4 and 11.3.1. The exploit leverages a race condition and header parsing flaw in the AWS4-HMAC authorization mechanism, allowing an attacker to bypass authentication and log in as any known user, including the admin ('crushadmin'). The script supports scanning multiple targets, exploiting vulnerable instances, and optionally creating new users. It is operational and provides full admin access if successful. The code is well-structured, with command-line arguments for specifying targets, output formats, and exploit options. The only endpoints referenced in the code are the vendor's homepage and download page; the actual attack targets are user-supplied HTTP(S) URLs of CrushFTP servers. The repository also includes a minimal README.md describing the exploit.

This repository provides an operational exploit for CVE-2025-31161, a critical authentication bypass vulnerability in CrushFTP. The main exploit is implemented in 'CVE-2025-31161.py', a Python script that allows an attacker to create a new user account on a vulnerable CrushFTP server without authentication. The script sends a crafted XML payload to the '/WebInterface/function/' endpoint, using specific cookies and headers to bypass authentication checks. The exploit is configurable via command-line arguments for the target host, port, admin username (used in the payload), new username, and password. The repository also includes a YAML file ('CVE-2025-31161.yaml') that appears to be a detection template for the same vulnerability, likely for use with automated scanners. The README provides detailed usage instructions, requirements, and sample output. The exploit targets CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0, and successful exploitation results in unauthorized account creation, potentially leading to full server compromise.

This repository contains a Python-based exploit tool (tx-crush.py) and a README.md for CVE-2025-31161, a critical authentication bypass vulnerability in the CrushFTP web interface. The exploit targets CrushFTP versions 9.3.8 through 9.3.12.5 and certain Enterprise versions before 9.3.12.5. The tool automates detection of vulnerable versions, performs multi-threaded user enumeration, and attempts to bypass authentication by manipulating the HTTP Authorization header (using both Bearer and Basic methods). If successful, it provides unauthorized access as any valid user and outputs session cookies and server version information in JSON format. The tool supports custom configuration for threads, retries, SSL verification, and output files. The repository is structured with a single main exploit script and a detailed README explaining usage, requirements, and output. No hardcoded IPs or domains are present; the target is user-supplied via command-line arguments.

This repository contains a Python exploit script (Shattered.py) and a README. The script targets two authentication/user creation vulnerabilities in CrushFTP (CVE-2025-2825 and CVE-2025-31161). It allows the attacker to create a new user account on the target server by sending a crafted XML payload to the /WebInterface/function/ HTTP endpoint. The script supports both single-target and mass exploitation modes, with multi-threading for efficiency. It can log results to a CSV file. The exploit is operational, as it provides a working payload and automates the attack process. The README provides usage instructions and context for the vulnerabilities. No hardcoded IPs or domains are present; the script is designed to be used against user-specified targets. The main entry point is Shattered.py, which parses command-line arguments and orchestrates the attack.

This repository contains a Python proof-of-concept exploit for CVE-2025-31161 (also referenced as CVE-2025-2825), targeting the CrushFTP server. The exploit leverages an authentication bypass vulnerability to create a new admin-level user account on the target server. The main script, 'cve-2025-31161.py', is the only code file and serves as the entry point. It accepts command-line arguments for the target host, port, an existing username (required for the bypass), the new username, and password. The exploit works by sending crafted HTTP requests to the '/WebInterface/function/' endpoint of the CrushFTP server, first warming up the connection and then issuing a POST request with parameters that result in the creation of a new user. The repository also includes a README with usage instructions and references, a LICENSE file (MIT), and a .gitignore. No hardcoded IPs or domains are present; the target is specified at runtime. The exploit is operational, providing a working method to gain admin access to vulnerable CrushFTP instances.