{"uuid": "c3ebbb33-d4e9-493b-b228-62d600a25d64", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-30075", "type": "seen", "source": "https://gist.github.com/nstevens1040/c388531cac701706d3f8b58f7447649f", "content": "# This is the portion of CVE-2022-30075 that decrypts and deflates the TP-Link backup file, written in PowerShell and C# instead of Python.\nAdd-Type -TypeDefinition @\"\nnamespace Hex\n{\n    using System;\n    using System.Text;\n    using System.Text.RegularExpressions;\n    using System.Collections;\n    using System.Collections.Generic;\n    using System.Linq;\n    using System.Security.Cryptography;\n    public static class To\n    {\n        public static byte[] Bytes(string hex_string)\n        {\n            MatchCollection matches = new Regex(@\"([A-F0-9]{2})\").Matches(hex_string);\n            byte[] out_bytes = new byte[matches.Count];\n            for(int i = 0; i < matches.Count; i++)\n            {\n                out_bytes[i] = Convert.ToByte(matches[i].Value,16);\n            }\n            return out_bytes;\n        }\n    }\n}\n\"@\nAdd-Type -TypeDefinition @\"\nnamespace Advanced\n{\n    using System;\n    using System.Collections;\n    using System.Collections.Generic;\n    using System.Linq;\n    using System.Security.Cryptography;\n    public static class Encryption\n    {\n        public static byte[] Decrypt(AesCryptoServiceProvider aes, byte[] cipher_text)\n        {\n            using(ICryptoTransform dec = aes.CreateDecryptor())\n            {\n                return dec.TransformFinalBlock(cipher_text,0,cipher_text.Length);\n            }\n        }\n    }\n}\n\"@\nAdd-Type -TypeDefinition @\"\nnamespace Z\n{\n    using System;\n    using System.IO;\n    using System.IO.Compression;\n    public static class Lib\n    {\n        public static void Deflate(MemoryStream deflate_stream, int aes_blocksize, string outfile)\n        {\n            using(DeflateStream deflate = new DeflateStream(deflate_stream, CompressionMode.Decompress))\n            {\n                using(MemoryStream pad = new MemoryStream())\n                {\n                    using(FileStream file = File.Open(outfile, FileMode.OpenOrCreate))\n                    {\n                        deflate.CopyTo(pad);\n                        pad.Position = aes_blocksize / 8;\n                        pad.CopyTo(file);\n                    }\n                }\n            }\n        }\n    }\n}\n\"@\n\n$encrypted_file         = \"C:\\Users\\nstevens\\Downloads\\ArcherAX1450v1202508281312n.bin\"\n$deflated_tarfile       = \"C:\\Users\\nstevens\\Desktop\\data.tar\"\n$cipherText             = [io.file]::ReadAllBytes($encrypted_file)\n$aes                    = [System.Security.Cryptography.Aes]::Create()\n$aes.Key                = [Hex.To]::Bytes('2EB38F7EC41D4B8E1422805BCD5F740BC3B95BE163E39D67579EB344427F7836')\n$aes.IV                 = [Hex.To]::Bytes('360028C9064242F81074F4C127D299F6')\n$decrypted              = [Advanced.Encryption]::Decrypt($aes,$cipherText)\n$inf_ms                 = [System.IO.MemoryStream]::new($decrypted,2,($decrypted.Length - 2))\n# Skipping the first two bytes removes the zlib header, leaving only the deflate stream and the 4 byte adler32 checksum at the end.\n# Doing this allows you to use the native System.IO.Compression.DeflateStream library instead of a third party library.\nRemove-Item $deflated_tarfile -ea 0\n[Z.Lib]::Deflate($inf_ms,$aes.BlockSize,$deflated_tarfile)\n$aes.Dispose()\n", "creation_timestamp": "2026-05-20T02:08:01.000000Z"}