Terramaster chained exploit that performs session crafting to achieve escalated privileges that allows
an attacker to access vulnerable code execution flaws. TOS versions 4.2.15 and below are affected.
CVE-2021-45839 is exploited to obtain the first administrator's hash set up on the system as well as other
information such as MAC address, by performing a request to the `/module/api.php?mobile/webNasIPS` endpoint.
This information is used to craft an unauthenticated admin session using CVE-2021-45841 where an attacker
can self-sign session cookies by knowing the target MAC address and the user password hash.
Guest users (disabled by default) can be abused using a null/empty hash and allow an unauthenticated attacker
to login as guest.
Finally, CVE-2021-45837 is exploited to execute arbitrary commands as root by sending a specifically crafted
input to vulnerable endpoint `/tos/index.php?app/del`.
msf > use exploit/linux/http/terramaster_unauth_rce_cve_2021_45837
msf exploit(terramaster_unauth_rce_cve_2021_45837) > show targets
...targets...
msf exploit(terramaster_unauth_rce_cve_2021_45837) > set TARGET < target-id >
msf exploit(terramaster_unauth_rce_cve_2021_45837) > show options
...show and set options...
msf exploit(terramaster_unauth_rce_cve_2021_45837) > exploit