# CVE-2022-31749 by 1vere$k
Simple PoC-checker for CVE-2022-31749 by 1vere$k.  
It exploits a parameter injection vulnerability in the `WatchGuard` SSH interface.  
The vulnerability allows a low privileged user to exfiltrate arbitrary system files to an attacker controlled FTP server.  
Fortunately, there is a builtin low privileged user named status that this script defaults to.  
It isn't unreasonable to assume that the `status user` will use a `password of readonly`, but it isn't required.

The exploit exfiltrates the user file `configd-hash.xml`.  
This file contains hashed user passwords.  
The hashes are simply unsalted MD4. @funoverip [described]( using hashcat to crack the hashes in this file all the way back in 2013

## Installing

1. git clone
2. cd cve-2022-31749
3. chmod +x *.sh
4. ./

## Usage

	echo "-------------------Welcome-to-CVE-2022-31749-by-1veresk----------------+";
	echo "+----------------------------------------------------------------------+";
	echo "+-------------------For-The-Help---------------------------------------+";
	echo "Example#1: ./ -h--------------------------------------+";
	echo "Example#2: ./ --help----------------------------------+";
	echo "+-------------------For-The-URL-Check----------------------------------+";
	echo "Example#1: ./ -u <IP> <PASSWORD> [Default is 'readonly'";
	echo "+-------------------For-The-File-Check---------------------------------+";
	echo "Example#1: ./ -f <FILENAME>-<PASSFILE>----------------+";
	echo "+----------------------------------------------------------------------+";

## Contact
You are free to contact me via [Keybase]( for any details.