Raidsonic NAS IB-4220 / 5220 exec #2188
Conversation
| if not (datastore['CMD']) | ||
| fail_with(Exploit::Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible") | ||
| end | ||
| response_pattern = "\<FORM\ NAME\=\"form\"\ METHOD\=\"POST\"\ ACTION\=\"\/cgi\/time\/time.cgi\"\ ENCTYPE\=\"multipart\/form-data" |
There was a problem hiding this comment.
Since response_pattern is being used in more than one place looks like should be defined as a CONSTANT for the module.
|
Thanks @m-1-k-3, Did some small comments. On the other hand, people will be more active next week after Vegas events, so maybe there is some more feedback entering the next week! Finally, we'll need pcap for verification purposes as usual. Thanks! |
|
After giving a look, maybe FileDropper is failing because the "rm -f" command isn't available on BusyBox :? Just guessing, discussion on course with @m-1-k-3 |
|
|
||
| include Msf::Exploit::Remote::HttpClient | ||
| include Msf::Auxiliary::CommandShell | ||
| include Msf::Exploit::FileDropper |
There was a problem hiding this comment.
Looks like it isn't used anymore and can be deleted.
There was a problem hiding this comment.
The comment above isn't true anymore, because the module is using FileDropper again!
|
Little msftidy complain: |
| } | ||
| sock.put(user) | ||
| sock.put("\r\n") | ||
| sock.put("rm /tmp/#{inetd_cfg}") |
There was a problem hiding this comment.
Since you're deleting while exploitation, would be nice to add a "on_new_session" handler, and check which the file indeed doesn't exist. If the file still exists on on_new_session a message should be printed to the user.
There was a problem hiding this comment.
As far as we've discussed via email, you're doing this deletion here, and not on_new_session, because for any reason we don't spot atm, the FileDropper mixin is failing to delete it. Would add a code comment explaining it, so others don't go shocked when look at this code.
|
Hi @m-1-k-3, Did m-1-k-3#9 in order to:
Hopefully changes are not breaking nothing, cannot test it! Let me know if it works for you, feel free to land once ready, so we can continue with review of this pull request. Once the current changes are landed, I would like to discuss with you if init the telnetd daemon through inetd is really necessary, or it can be started standalone. |
|
thx @jvazquez-r7 - the module is working quite good now. The telnetd is compiled in inetd mode BusyBox v1.00-rc3 (2008.02.14-01:00+0000) multi-call binary |
|
Awesome, thanks for testing @m-1-k-3, do you mind to share pcap of module working after apply these last changes? Thanks in advance! |
|
If #2389 is landed, the same fix should be applied here |
|
Processing! |
This is one more module for a webapp vuln in a quite old NAS from raidsonic.
The advisory is here: http://www.s3cur1ty.de/m1adv2013-010
Release Date: 12.02.2013
BID: 57958
Exploit DB ID: 24499
OSVDB: 90221, 90220, 90219
Best,
Mike