This Metasploit module exploits multiple vulnerabilities in the zhttpd binary (/bin/zhttpd) and zcmd binary (/bin/zcmd). It is present on more than 40 Zyxel routers and CPE devices. The remote code execution vulnerability can be exploited by chaining the local file disclosure vulnerability in the zhttpd binary that allows an unauthenticated attacker to read the entire configuration of the router via the vulnerable endpoint /Export_Log?/data/zcfg_config.json. With this information disclosure, the attacker can determine if the router is reachable via ssh and use the second vulnerability in the zcmd binary to derive the supervisor password exploiting a weak implementation of a password derivation algorithm using the device serial number. After exploitation, an attacker will be able to execute any command as user supervisor.
9a3aef1a073115f56b28eb2aec9260df77503937d00eeca46fde8494010d246745 byte system-beep shellcode for linux/x86.
0f9cc5e6c0f59939e9e3e86781de1c9a8fe4ef79b3c07e8a2798fad1864ae0ad
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed