New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Exploit module for CVE-2023-47218 in QNAP QTS and QuTH Hero #18832
Conversation
end | ||
|
||
data = Rex::MIME::Message.new | ||
data.add_part(file_data, 'text/plain', 'binary', "form-data; #{Rex::Text.rand_text_alphanumeric(8)}=\"#{Rex::Text.rand_text_alphanumeric(8)}\"; #{Rex::Text.rand_text_alphanumeric(8)}=\"#{file_name}\"") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For context - when using Rex::MIME::Message
, after adding all the parts to the object you have to call .to_s
before sending it in your post request. The to_s
function calls force_crlf
on all the parts of the message if a transfer encoding is not set. So although the content of the request isn't binary (there might be a better transfer encoding value that can be used here) if we don't set it, the line feeds in the bootstrap script get forced to CRLFs and the payload fails to run.
@jheysel-r7 did you want to grab this; I think you were working with the target? If not, I'm happy to take it. |
Thanks for the offer @bwatters-r7! I got this one. Also thank you for the great module @sfewer-r7 🙏 Testing was as expected, landing now:
|
Release NotesThe PR adds a module targeting CVE-2023-47218, an unauthenticated command injection vulnerability affecting QNAP QTS and QuTH Hero devices. |
This pull request is for a module targeting CVE-2023-47218, an unauthenticated command injection vuln affecting QNAP QTS and QuTH Hero.
Our Rapid7 disclosure has an analysis of the vuln as well as a standalone PoC. During analysis I was emulating the firmware, instructions on how to do this are in the blog post.
Verification Steps
use linux/http/qnap_qts_rce_cve_2023_47218
RHOST
,RPORT
,LHOST
andFETCH_SRVPORT
if 8080 is already in use.admin
user.