Fixed typo added Options section docs

jheysel-r7 · Jun 10, 2024 · 12b1936 · 12b1936
1 parent 9d47372
commit 12b1936
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 5 deletions.
diff --git a/documentation/modules/exploit/linux/http/zyxel_parse_config_rce.md b/documentation/modules/exploit/linux/http/zyxel_parse_config_rce.md
@@ -24,6 +24,13 @@ Two caveats of this exploit chain were described by Jacob Baines in the followin
 This module was tested against USG Flex Version (???). To test this module you will need to acquire a hardware device
 running one of the vulnerable firmware versions listed above.
 
+## Options
+
+### WRITEABLE_DIR
+
+This indicates the location where you would like the payload and exploit stored, as well
+as serving as a location to store the various files and directories created by the exploit itself.
+The default value is `/tmp`
 
 ## Verification Steps
 

diff --git a/modules/exploits/linux/http/zyxel_parse_config_rce.rb b/modules/exploits/linux/http/zyxel_parse_config_rce.rb
@@ -21,8 +21,7 @@ def initialize(info = {})
         },
         'Author' => [
           'SSD Secure Disclosure technical team', # discovery
-          'jheysel-r7',    # Msf module
-          'Jacob Baines',  # Testing
+          'jheysel-r7' # Msf module
         ],
         'References' => [
           [ 'URL', 'https://ssd-disclosure.com/ssd-advisory-zyxel-vpn-series-pre-auth-remote-command-execution/'],
@@ -67,8 +66,8 @@ def check
         product = product_match[1]
         version = version_match[1]
 
-        if (product.starts_with?('USG') && product.includes?('W') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.10')) ||
-           (product.starts_with?('USG') && !product.includes?('W') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.00')) ||
+        if (product.starts_with?('USG') && product.include?('W') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.10')) ||
+           (product.starts_with?('USG') && !product.include?('W') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.00')) ||
            (product.starts_with?('ATP') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.10')) ||
            (product.starts_with?('VPN') && Rex::Version.new(version) <= Rex::Version.new('5.36.2') && Rex::Version.new(version) >= Rex::Version.new('5.00'))
           return CheckCode::Appears("Product: #{product}, Version: #{version}")
@@ -94,7 +93,7 @@ def on_new_session(session)
       command_output = session.shell_command_token "ifconfig #{newest_gre} down && ip tunnel del #{newest_gre} mode gre && echo success"
     end
 
-    if command_output.includes?('success')
+    if command_output.include?('success')
       print_good('The GRE interface was successfully removed.')
     else
       print_warning('The module failed to remove the GRE interface created by this exploit. Subsequent module runs will likely fail unless unless it\'s successfully removed')