## https://sploitus.com/exploit?id=9CED34A7-B9F7-5B83-816A-0BB22C237331
# CVE-2022-31749 by 1vere$k
Simple PoC-checker for CVE-2022-31749 by 1vere$k.
It exploits a parameter injection vulnerability in the `WatchGuard` SSH interface.
The vulnerability allows a low privileged user to exfiltrate arbitrary system files to an attacker controlled FTP server.
Fortunately, there is a builtin low privileged user named status that this script defaults to.
It isn't unreasonable to assume that the `status user` will use a `password of readonly`, but it isn't required.
The exploit exfiltrates the user file `configd-hash.xml`.
This file contains hashed user passwords.
The hashes are simply unsalted MD4. @funoverip [described](https://web.archive.org/web/20160522043540/http://funoverip.net/2013/09/cracking-watchguard-passwords/) using hashcat to crack the hashes in this file all the way back in 2013
## Installing
```
1. git clone https://github.com/iveresk/cve-2022-31749.git
2. cd cve-2022-31749
3. chmod +x *.sh
4. ./setup.sh
```
## Usage
```
echo "-------------------Welcome-to-CVE-2022-31749-by-1veresk----------------+";
echo "+----------------------------------------------------------------------+";
echo "+-------------------For-The-Help---------------------------------------+";
echo "Example#1: ./cve-2022-31749.sh -h--------------------------------------+";
echo "Example#2: ./cve-2022-31749.sh --help----------------------------------+";
echo "+-------------------For-The-URL-Check----------------------------------+";
echo "Example#1: ./cve-2022-31749.sh -u <IP> <PASSWORD> [Default is 'readonly'";
echo "+-------------------For-The-File-Check---------------------------------+";
echo "Example#1: ./cve-2022-31749.sh -f <FILENAME>-<PASSFILE>----------------+";
echo "+----------------------------------------------------------------------+";
```
## Contact
You are free to contact me via [Keybase](https://keybase.io/1veresk) for any details.