CrushFTP AS2 Validation Admin Access Bypass

Repository contains a single Python PoC exploit script plus a minimal README. Structure: - README.md: only states the CVE identifier. - watchTowr-vs-CrushFTP-CVE-2025-54309.py: a multi-action exploit/PoC for CVE-2025-54309 targeting CrushFTP’s WebInterface admin function endpoint. Purpose and operation: - Implements a network-based authentication bypass via a race-condition approach. The script repeatedly sends large volumes of POST requests to /WebInterface/function/ while rotating a short c2f token and associated CrushAuth/currentAuth cookies. - Uses two request variants (with and without the AS2-TO header and a special content-type) to increase the chance of hitting the vulnerable timing window. Exploit capabilities (actions): - list-users (default): calls getUserList for serverGroup MainUsers. - get-settings: retrieves server_settings via getServerItem. - get-info: retrieves server_info via getServerItem. - get-logs: calls getLog and saves output locally to crushftp_logs.xml. - get-file: arbitrary file read via getFile with user-controlled path. - add-user: persistence/privilege escalation by creating a new admin user via setUserItem, sending an XML user definition with user_admin=true and broad permissions. Notable targeting/fingerprints: - Hardcoded endpoint path /WebInterface/function/. - Distinctive headers: AS2-TO: \crushadmin, Content-Type: disposition-notification, X-Requested-With: XMLHttpRequest, and User-Agent python-requests/2.32.3. - Cookie format includes CrushAuth=... and currentAuth=<c2f> with a randomly generated 4-character c2f value. Overall, this is an operational PoC exploit (not just detection) that can exfiltrate sensitive data and create an administrative account if the target is vulnerable and the race condition is successfully triggered.

This repository provides a comprehensive operational exploit for a critical authentication bypass vulnerability (CVE-2025-54309) in CrushFTP Server's AS2 authentication module. The exploit leverages improper trust in specific HTTP headers (notably 'X-DMZ-Proxy: disabled' and 'X-AS2-Version: 1.0') to bypass authentication and gain full administrative access. The repository is well-structured, containing: - Three main Bash exploit scripts in the 'exploits/' directory: - 'enhanced_session_exploit.sh': Automates the full attack chain, including session cookie generation and authenticated admin access. - 'targeted_exploitation.sh': Focuses on testing and exploiting high-value admin endpoints. - 'adaptive_exploitation.sh': Tests multiple header and session strategies for bypass reliability. - Detection resources in the 'detection/' directory: - IDS/IPS rules for Snort and Suricata - A log analysis script for identifying exploitation attempts in server logs - Detailed documentation in 'README.md' and 'docs/TECHNICAL_ANALYSIS.md', including technical root cause, attack methodology, session management analysis, and mitigation guidance. The exploit scripts use curl to send crafted HTTP requests with the vulnerable AS2 headers, extract session cookies using a discovered mathematical relationship, and access a range of administrative endpoints. The attack vector is network-based, requiring only HTTP/S access to the CrushFTP web interface. The exploit is operational and provides reliable, repeatable administrative compromise, including RCE via the telnet interface. The repository also includes robust detection and defense resources for blue teams.

This repository provides a fully functional exploit for CVE-2025-54309, a critical authentication bypass vulnerability in CrushFTP versions 10.x before 10.8.5 and 11.x before 11.3.4_23. The exploit leverages a flaw in the AS2 header validation logic, allowing an attacker to bypass authentication by sending a POST request to the /WebInterface/function/ endpoint with an empty or improperly formatted AS2-To header. The included Python script (cve_2025_54309.py) automates the attack: it checks if the target is running CrushFTP, crafts a malicious request to create a new administrative user, and optionally verifies that the new user can log in. The payload is an XML user object granting full administrative privileges. The repository also contains detailed technical documentation (TECHNICAL.md) and usage instructions (README.md). The exploit is operational and can be used to gain full control over vulnerable CrushFTP instances.

This repository contains a Python proof-of-concept exploit for CVE-2025-54309, a race condition authentication bypass in CrushFTP. The exploit targets CrushFTP versions prior to 10.8.5 and 11.3.4_34. The main file, 'crushedftp.py', is a standalone script that automates the attack by sending a large number of crafted request pairs to the vulnerable '/WebInterface/function/' endpoint of a target CrushFTP server. The exploit leverages a race condition to create a new admin user with attacker-specified credentials, effectively granting administrative access to the server. The script is configurable via command-line arguments for the target URL, username, password, number of requests, and payload type. The README provides usage instructions and example output. No detection or scanning functionality is present; the script is a direct exploit. The only fingerprintable endpoint is the '/WebInterface/function/' path on the target server.

This repository provides a full exploit chain for CVE-2025-54309, targeting CrushFTP server versions 10.x and 11.x. The main exploit script (CVE-2025-54309.py) is a Python tool that supports three modes: creating a new admin user, uploading a malicious Java plugin (CrushCommandPlugin.jar), and executing arbitrary system commands on the target server. The exploit leverages HTTP(S) requests to the CrushFTP WebInterface endpoints, using crafted headers and cookies to bypass authentication and escalate privileges. The included Java plugin (Plugin/CrushCommandPlugin/Start.java) is designed to be uploaded to the server and, when triggered, executes arbitrary system commands via the server's plugin interface. The repository also contains a Bash script for compiling the plugin and a Python script (docker_get_crushftp_version.py) for automating the setup and version detection of CrushFTP Docker containers, useful for testing the exploit against multiple versions. The exploit is operational and provides attackers with full remote code execution capabilities on vulnerable CrushFTP instances.

This repository contains an operational exploit for CVE-2025-54309, targeting CrushFTP versions 10 before 10.8.5 and 11 before 11.3.4_23. The exploit leverages a race condition in the authentication mechanism to create a new administrative user on the target system. The main script, 'exploit.py', is a Python 3 tool that uses high-concurrency threading to maximize the chance of exploiting the timing window. It generates and sends crafted XML payloads to the /WebInterface/function/ endpoint, using custom cookies and headers to mimic legitimate admin actions. The script allows customization of the username and password for the new admin user and can optionally verify successful user creation. The README provides detailed usage instructions and context. The exploit is intended for authorized penetration testing and research purposes only. No detection or fake code is present; the exploit is functional and focused on user creation via a network attack vector.

This repository contains a proof-of-concept exploit for CVE-2025-54309, an authentication bypass race condition in CrushFTP. The main file, 'watchTowr-vs-CrushFTP-CVE-2025-54309.py', is a Python script that targets the CrushFTP web interface by sending pairs of HTTP POST requests to the '/WebInterface/function/' endpoint. By racing requests with and without a special 'AS2-TO' header and a crafted session cookie, the script attempts to bypass authentication and extract a list of usernames from the server. The exploit is designed to run a large number of request pairs (default 5000), updating session values periodically to maximize the chance of success. The README provides usage instructions, affected versions, and context about the vulnerability. The exploit is a network-based attack and is effective against CrushFTP versions before 10.8.5 and 11 before 11.3.4_23. No hardcoded IPs or credentials are present; the script requires the user to supply the target URL.